Detect Check Point Security Gateway Improper Authentication (CVE-2026-50751) in Google Chronicle
Detects exploitation of CVE-2026-50751, an improper authentication vulnerability (CWE-287) in Check Point Security Gateway affecting deprecated IKEv1 VPN protocol. This vulnerability is actively exploited in the wild (CISA KEV) and may allow unauthenticated attackers to bypass authentication controls on the VPN gateway. Detection focuses on anomalous IKEv1 negotiation patterns, authentication bypass indicators, and suspicious gateway access following failed or malformed IKE exchanges.
MITRE ATT&CK
- Tactic
- Initial Access Credential Access
YARA-L Detection Query
rule checkpoint_cve_2026_50751_ikev1_auth_bypass {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2026-50751 exploitation: improper authentication via deprecated IKEv1 on Check Point Security Gateway"
severity = "CRITICAL"
confidence = "MEDIUM"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1190"
cve = "CVE-2026-50751"
events:
$e.metadata.vendor_name = "Check Point"
$e.metadata.product_name = /Security Gateway/i
(
$e.principal.port = 500 or
$e.principal.port = 4500 or
$e.target.port = 500 or
$e.target.port = 4500
)
(
$e.metadata.description = /IKEv1/i or
$e.metadata.description = /aggressive mode/i or
(
$e.metadata.description = /auth/i and
$e.metadata.description = /(fail|bypass|unauthenticated)/i
)
)
match:
$e.principal.ip over 5m
outcome:
$risk_score = max(
if($e.metadata.description = /bypass/i, 90,
if($e.metadata.description = /unauthenticated/i, 85, 70))
)
condition:
#e > 2
}Chronicle YARA-L rule detecting Check Point Security Gateway IKEv1 authentication anomalies associated with CVE-2026-50751, firing when more than 2 matching events occur from a single IP within 5 minutes.
Data Sources
Required Tables
False Positives & Tuning
- Legacy enterprise VPN clients connecting from branch offices on IKEv1
- Authorized third-party VPN peer gateways that have not migrated to IKEv2
- Security researchers running controlled IKEv1 compatibility tests
Other platforms for CVE-2026-50751
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1IKEv1 Aggressive Mode Probe — Check Point Gateway
Expected signal: Check Point SmartLog IKE phase 1 event with protocol IKEv1, mode aggressive, from the test host IP. UDP/500 connection event in network logs.
- Test 2Repeated IKEv1 Auth Failure Simulation
Expected signal: 10 IKEv1 negotiation attempts with authentication failure events in SmartLog. Source IP flagged in Check Point IPS/firewall blade logs.
- Test 3IKEv1 vs IKEv2 Protocol Downgrade Attempt
Expected signal: StrongSwan IKEv1 initiation attempt visible in system logs; Check Point gateway logs showing inbound IKEv1 proposal from test host on UDP/500.
Unlock Pro Content
Get the full detection package for CVE-2026-50751 including response playbook, investigation guide, and atomic red team tests.