CVE-2026-50751

Check Point Security Gateway Improper Authentication (CVE-2026-50751)

Initial Access Credential Access Last updated:

Detects exploitation of CVE-2026-50751, an improper authentication vulnerability (CWE-287) in Check Point Security Gateway affecting deprecated IKEv1 VPN protocol. This vulnerability is actively exploited in the wild (CISA KEV) and may allow unauthenticated attackers to bypass authentication controls on the VPN gateway. Detection focuses on anomalous IKEv1 negotiation patterns, authentication bypass indicators, and suspicious gateway access following failed or malformed IKE exchanges.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Check Point
Product
Security Gateway

Weakness (CWE)

CWE-287

Timeline

Disclosed
June 8, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-50751 Check Point Security Gateway Improper Authentication (CVE-2026-50751)?

Check Point Security Gateway Improper Authentication (CVE-2026-50751) (CVE-2026-50751) maps to the Initial Access and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Check Point Security Gateway Improper Authentication (CVE-2026-50751), covering the data sources and telemetry it touches: Check Point Firewall Logs, CommonSecurityLog, Syslog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Credential Access
Microsoft Sentinel / Defender
kusto 
let timeWindow = 1h;
let suspiciousIKE = CommonSecurityLog
| where TimeGenerated > ago(timeWindow)
| where DeviceVendor == "Check Point"
| where Activity has_any ("IKE", "VPN", "IPSec")
| where Message has_any ("IKEv1", "ikev1", "phase1", "aggressive mode")
| where Message has_any ("auth", "authentication", "identity", "failed", "bypass", "invalid")
| project TimeGenerated, DeviceAction, SourceIP, DestinationIP, Message, Activity, DeviceName;
let authAnomalies = CommonSecurityLog
| where TimeGenerated > ago(timeWindow)
| where DeviceVendor == "Check Point"
| where Activity has "VPN"
| where DeviceAction in ("Accept", "Allow")
| where Message has_any ("unauthenticated", "no credentials", "pre-shared", "certificate")
| project TimeGenerated, SourceIP, DestinationIP, DeviceAction, Message, DeviceName;
union suspiciousIKE, authAnomalies
| summarize EventCount=count(), Messages=make_set(Message, 10), Actions=make_set(DeviceAction) by SourceIP, DeviceName, bin(TimeGenerated, 5m)
| where EventCount > 2
| extend RiskScore = case(EventCount > 20, "High", EventCount > 5, "Medium", "Low")
| order by EventCount desc

Detects anomalous IKEv1 authentication patterns on Check Point Security Gateways that may indicate exploitation of CVE-2026-50751. Correlates IKEv1 negotiation events with authentication anomalies from the same source.

critical severity medium confidence

Data Sources

Check Point Firewall Logs CommonSecurityLog Syslog

Required Tables

CommonSecurityLog

False Positives

  • Legitimate IKEv1 VPN clients connecting to gateway before hotfix disables deprecated protocol
  • Network scanning tools performing VPN fingerprinting in authorized penetration tests
  • Legacy VPN clients that have not been updated and still negotiate IKEv1

Sigma rule & cross-platform mapping

The detection logic for Check Point Security Gateway Improper Authentication (CVE-2026-50751) (CVE-2026-50751) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-50751 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-50751

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1IKEv1 Aggressive Mode Probe — Check Point Gateway

    Expected signal: Check Point SmartLog IKE phase 1 event with protocol IKEv1, mode aggressive, from the test host IP. UDP/500 connection event in network logs.

  2. Test 2Repeated IKEv1 Auth Failure Simulation

    Expected signal: 10 IKEv1 negotiation attempts with authentication failure events in SmartLog. Source IP flagged in Check Point IPS/firewall blade logs.

  3. Test 3IKEv1 vs IKEv2 Protocol Downgrade Attempt

    Expected signal: StrongSwan IKEv1 initiation attempt visible in system logs; Check Point gateway logs showing inbound IKEv1 proposal from test host on UDP/500.

Unlock Pro Content

Get the full detection package for CVE-2026-50751 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1110Brute Force

Same Tactic: Initial Access

Popular Detections