Two Days Ago I Said the #2 Ransomware Crew's Whole Game Was Your SSL VPN. Now the #1 Crew Is Burning a Check Point VPN Zero-Day With No Password Required. CVE-2026-50751.

Two days ago I wrote that Akira — the second most active ransomware crew on earth — has one favorite door, and that door is your SSL VPN: Cisco ASA, SonicWall, WatchGuard, missing MFA or stolen credentials, in and encrypting in under four hours. I said the edge appliance is the initial-access surface of the era. I did not expect the sequel to land this fast. As of this week, the number-one crew by volume, Qilin, is in the same place by a different vendor. Check Point disclosed CVE-2026-50751, an authentication bypass in its Remote Access VPN and Mobile Access products, carrying a CVSS of 9.3, and the part that matters is in the mechanism: an attacker can establish a VPN session without a valid password. Not a stolen password, not a sprayed password — no password. Check Point Research has tied confirmed post-compromise activity on at least one victim to a Qilin ransomware affiliate. So here is where we are: the two highest-volume ransomware operations on the planet are both living on your edge VPN, and one of them no longer needs a credential at all.

The technical shape is worth stating because it tells you who is exposed. The flaw lives in the deprecated IKEv1 key-exchange protocol — the old way of doing the VPN handshake that many organizations never turned off because it kept working and nobody had a reason to touch it. If your Check Point gateway has Remote Access or Mobile Access enabled and IKEv1 is still in the configuration, an unauthenticated remote attacker can bypass the password check and connect as a remote-access user. That is the whole exploit. There is a companion issue, CVE-2026-50752, in IKEv1 certificate validation that can allow man-in-the-middle interference with site-to-site VPN traffic under specific conditions, found during the same investigation — but the password-bypass is the one being weaponized. The affected list is broad across the R80 and R81 and R82 gateway trains and the Spark firewalls, and a hotfix is out. CISA's response tells you how seriously to take it: federal agencies were given three days to patch, which is the emergency timeline, not the quarterly one.

Now the timeline, because it is the part that should change how you think about your own gateway. Check Point first observed suspicious activity on June 4, but the earliest confirmed exploitation traces back to May 7. That is roughly a month of an attacker using this against a real-world VPN before a patch existed — a genuine zero-day window, not a patch-gap. This is the same shape we keep documenting, from the FreePBX August zero-day that resurfaced this week to the Cisco FMC flaw Interlock rode for thirty-six days before disclosure: the edge appliance gets exploited quietly, weeks before the vendor names it, and the clock on your exposure started before anyone told you it had. If you run Check Point Remote Access, the honest assumption is not "we will patch and be fine." It is "we may already be in the window that opened May 7," and you hunt accordingly.

The infrastructure gives defenders something concrete to work with. The actor ran the attacks from dedicated VPS infrastructure — observed hosting at Kaupo Cloud in Hong Kong, Shock Hosting, and Vultr — and the indicators point to use of the Tox protocol for communication, which is a pattern strongly associated with financially-motivated ransomware crews rather than espionage actors. That is consistent with the Qilin attribution: Qilin is a Russia-based ransomware-as-a-service operation, the volume leader, and exactly the kind of crew that buys or builds an edge-VPN zero-day because the edge VPN is the highest-yield front door in existence. It is the same logic Akira runs on SonicWall and Cisco. The vendor changes; the strategy does not. Compromise the appliance that every remote employee connects through, and you are inside with legitimate-looking access before any endpoint agent has a reason to alert.

The defender takeaway is unusually clean because the fix and the hunt are both well-defined. Patch to the released Check Point hotfix now, on the three-day federal clock regardless of whether you are a federal agency, because a 9.3 no-password VPN bypass with confirmed ransomware exploitation does not respect your change calendar. Then do the thing that actually closes this class: turn off IKEv1. It is deprecated, it is the vulnerable surface here, and if you are not running legacy site-to-site tunnels that genuinely require it, disabling it removes the exposure rather than patching around it. Then hunt the window, because patching forward does not evict someone who got in since May 7: look for remote-access VPN sessions that authenticated without a corresponding successful credential event, connections from the VPS ranges associated with Kaupo Cloud HK, Shock Hosting, and Vultr, anomalous internal movement following a VPN login, and the fast pre-encryption behaviors — mass file discovery, archive staging, MEGAsync or similar cloud-exfil tooling. Our STIX feed carries the edge-appliance and ransomware indicators for this class at no cost, and Qilin is a profiled actor in our index, linked to the edge thesis rather than floating as a name in a headline.

The honest 95%: Check Point reports the exploitation has been limited to a few dozen targeted organizations so far, with one confirmed Qilin-affiliate case — so this is targeted, not yet mass-internet-scanning, which means the window to patch ahead of the broad wave is open but closing, the way these always do once the technique is understood. We are repeating the Qilin attribution from Check Point Research's own analysis, not generating it ourselves, and "a Qilin affiliate" is a looser claim than "Qilin core," as RaaS attributions always are. And we cannot tell you IKEv1 is the last deprecated protocol someone left enabled that becomes a front door this year — it will not be, because the appliance is the foot in the door and every appliance is a foot. What we can tell you is that two days ago the pattern had one marquee example, and now it has two: the entire top tier of ransomware has converged on the VPN gateway at the edge of your network, and at least one of them just demonstrated it does not need your password to walk through it.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register