Description
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
Published: 2026-06-08
Score: 9.3 Critical
EPSS: 71.1% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic flow weakness in the certificate validation path for the deprecated IKEv1 key exchange allows an unauthenticated attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. The flaw enables the attacker to create a link to the gateway with no prior credentials, thereby granting unauthorized access to the internal network and all resources behind the gateway. This vulnerability falls under CWE-287 (Authentication Bypass by Missing or Incorrect Authentication).

Affected Systems

The vulnerability affects Check Point’s Quantum Security Gateway and Spark Firewalls. No specific product versions are listed deployments of these gateway releases that use the affected IKEv1 logic are potentially vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the EPSS score of 71% shows a high probability of exploitation. The vulnerability is listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack vector is network-based, requiring only connectivity to the VPN service and the ability to construct a malicious certificate that triggers the logic flaw. Attackers would benefit from exposed VPN interfaces; no special user or system privileges are needed. No publicly disclosed exploits are referenced in the CVE data, but the vulnerability permits credentialless access, making it significant for administrators to act promptly.

Generated by OpenCVE AI on June 24, 2026 at 13:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the deprecated IKEv1 VPN protocol on all gateway and firewall devices to remove the vulnerable logic path.
  • Enable multi‑factor authentication and migrate to IKEv2 or another secure VPN protocol that does not rely on the vulnerable IKEv1 logic.
  • Monitor VPN logs for unexpected or repeated connection attempts and isolate any suspicious endpoints.

Generated by OpenCVE AI on June 24, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Checkpoint gaia Embedded
Checkpoint gaia Os
Checkpoint quantum Spark 1530
Checkpoint quantum Spark 1535
Checkpoint quantum Spark 1550
Checkpoint quantum Spark 1555
Checkpoint quantum Spark 1570
Checkpoint quantum Spark 1570r
Checkpoint quantum Spark 1575
Checkpoint quantum Spark 1575r
Checkpoint quantum Spark 1590
Checkpoint quantum Spark 1595r
Checkpoint quantum Spark 1600
Checkpoint quantum Spark 1800
Checkpoint quantum Spark 1900
Checkpoint quantum Spark 2000
Checkpoint quantum Spark 2530
Checkpoint quantum Spark 2550
Checkpoint quantum Spark 2560
Checkpoint quantum Spark 2570
Checkpoint quantum Spark 2580
Checkpoint quantum Spark 2590
CPEs cpe:2.3:h:checkpoint:quantum_spark_1530:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1535:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1550:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1555:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1570:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1570r:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1575:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1575r:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1590:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1595r:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1600:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1800:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_1900:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_2000:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_2530:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_2550:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_2560:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_2570:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_2580:-:*:*:*:*:*:*:*
cpe:2.3:h:checkpoint:quantum_spark_2590:-:*:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:*:*:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r81.10.17:-:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r81.10.17:build_996004508:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r81.10.17:build_996004620:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r81.10.17:build_996004653:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r81.10.17:build_996004721:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r81.10.17:build_996004892:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r82.00.10:-:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r82.00.10:build_998001559:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r82.00.10:build_998001562:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r82.00.10:build_998002110:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r82.00.10:build_998002112:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r82.00.10:build_998002133:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_embedded:r82.00.10:build_998002203:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:*:*:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:-:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_101:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_103:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_105:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_10:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_111:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_113:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_115:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_118:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_119:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_120:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_122:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_126:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_127:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_141:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_14:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_24:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_26:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_38:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_41:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_43:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_45:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_53:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_54:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_65:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_70:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_76:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_79:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_84:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_89:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_8:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_90:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_92:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_96:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_98:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r81.20:take_99:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82.10:-:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82.10:take_19:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82.10:take_6:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:-:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_103:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_10:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_12:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_14:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_18:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_19:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_25:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_33:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_34:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_36:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_39:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_41:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_43:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_44:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_60:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_73:*:*:*:*:*:*
cpe:2.3:o:checkpoint:gaia_os:r82:take_91:*:*:*:*:*:*
Vendors & Products Checkpoint gaia Embedded
Checkpoint gaia Os
Checkpoint quantum Spark 1530
Checkpoint quantum Spark 1535
Checkpoint quantum Spark 1550
Checkpoint quantum Spark 1555
Checkpoint quantum Spark 1570
Checkpoint quantum Spark 1570r
Checkpoint quantum Spark 1575
Checkpoint quantum Spark 1575r
Checkpoint quantum Spark 1590
Checkpoint quantum Spark 1595r
Checkpoint quantum Spark 1600
Checkpoint quantum Spark 1800
Checkpoint quantum Spark 1900
Checkpoint quantum Spark 2000
Checkpoint quantum Spark 2530
Checkpoint quantum Spark 2550
Checkpoint quantum Spark 2560
Checkpoint quantum Spark 2570
Checkpoint quantum Spark 2580
Checkpoint quantum Spark 2590

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Checkpoint
Checkpoint quantum Security Gateway
Checkpoint spark Firewalls
Vendors & Products Checkpoint
Checkpoint quantum Security Gateway
Checkpoint spark Firewalls

Mon, 08 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-08T00:00:00+00:00', 'dueDate': '2026-06-11T00:00:00+00:00'}

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
Title User Authentication Bypass in VPN Remote Access and Mobile Access
Weaknesses CWE-287
References

Subscriptions

Checkpoint Gaia Embedded Gaia Os Quantum Security Gateway Quantum Spark 1530 Quantum Spark 1535 Quantum Spark 1550 Quantum Spark 1555 Quantum Spark 1570 Quantum Spark 1570r Quantum Spark 1575 Quantum Spark 1575r Quantum Spark 1590 Quantum Spark 1595r Quantum Spark 1600 Quantum Spark 1800 Quantum Spark 1900 Quantum Spark 2000 Quantum Spark 2530 Quantum Spark 2550 Quantum Spark 2560 Quantum Spark 2570 Quantum Spark 2580 Quantum Spark 2590 Spark Firewalls
cve-icon MITRE

Status: PUBLISHED

Assigner: checkpoint

Published:

Updated: 2026-06-10T13:37:27.725Z

Reserved: 2026-06-07T09:42:08.251Z

Link: CVE-2026-50751

cve-icon Vulnrichment

Updated: 2026-06-08T16:01:50.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T12:16:32.367

Modified: 2026-06-09T18:30:55.230

Link: CVE-2026-50751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:15:15Z

Weaknesses