CVE-2026-50751 Splunk · SPL

Detect Check Point Security Gateway Improper Authentication (CVE-2026-50751) in Splunk

Detects exploitation of CVE-2026-50751, an improper authentication vulnerability (CWE-287) in Check Point Security Gateway affecting deprecated IKEv1 VPN protocol. This vulnerability is actively exploited in the wild (CISA KEV) and may allow unauthenticated attackers to bypass authentication controls on the VPN gateway. Detection focuses on anomalous IKEv1 negotiation patterns, authentication bypass indicators, and suspicious gateway access following failed or malformed IKE exchanges.

MITRE ATT&CK

Tactic
Initial Access Credential Access

SPL Detection Query

Splunk (SPL)
spl 
index=firewall sourcetype=cp_log OR sourcetype=checkpoint_splunk
| where vendor="Check Point" OR product="Security Gateway"
| where (message LIKE "%IKEv1%" OR message LIKE "%ikev1%" OR message LIKE "%aggressive mode%" OR action LIKE "%IKE%")
| eval auth_anomaly=if(match(message, "(?i)(auth.*fail|bypass|unauthenticated|no.credential|invalid.identity|pre-shared.key.mismatch)"), 1, 0)
| eval ikev1_indicator=if(match(message, "(?i)(ikev1|ike.version.1|phase.1.aggressive)"), 1, 0)
| where auth_anomaly=1 OR ikev1_indicator=1
| stats count AS event_count, values(message) AS messages, values(action) AS actions, dc(src_ip) AS unique_sources BY src_ip, host, _time span=5m
| where event_count > 2
| eval risk=case(event_count > 20, "HIGH", event_count > 5, "MEDIUM", true(), "LOW")
| eval cve="CVE-2026-50751"
| table _time, src_ip, host, event_count, risk, messages, cve
| sort - event_count
critical severity medium confidence

Splunk detection for Check Point Security Gateway IKEv1 authentication anomalies consistent with CVE-2026-50751 exploitation. Correlates IKEv1 protocol usage with authentication failure or bypass indicators.

Data Sources

Check Point Firewall LogsSyslogCEF Logs

Required Sourcetypes

cp_logcheckpoint_splunksyslog

False Positives & Tuning

  • Authorized legacy VPN clients still using IKEv1 prior to migration
  • Scheduled VPN connectivity tests by network operations team using IKEv1 profiles
  • Third-party site-to-site VPN peers that have not yet migrated to IKEv2

Other platforms for CVE-2026-50751

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1IKEv1 Aggressive Mode Probe — Check Point Gateway

    Expected signal: Check Point SmartLog IKE phase 1 event with protocol IKEv1, mode aggressive, from the test host IP. UDP/500 connection event in network logs.

  2. Test 2Repeated IKEv1 Auth Failure Simulation

    Expected signal: 10 IKEv1 negotiation attempts with authentication failure events in SmartLog. Source IP flagged in Check Point IPS/firewall blade logs.

  3. Test 3IKEv1 vs IKEv2 Protocol Downgrade Attempt

    Expected signal: StrongSwan IKEv1 initiation attempt visible in system logs; Check Point gateway logs showing inbound IKEv1 proposal from test host on UDP/500.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-50751 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1110Brute Force

Same Tactic: Initial Access

Popular Detections