CISA Orders Federal Agencies To Patch Check Point VPN Bug Within Three Days

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering federal agencies to patch a critical Check Point VPN vulnerability within three days as ransomware attackers exploited it in the wild.

The Tech Buzz said CISA’s Known Exploited Vulnerabilities catalog directive gave agencies until June 12 to either patch the flaw or disconnect affected Check Point systems from their networks entirely.

BleepingComputer

SC Media reported that CISA added the bug to its exploited vulnerabilities list and gave federal agencies until June 11 to patch, while noting Check Point patched the flaw on June 8.

SC Media also quoted Matthew Hartman, chief strategy officer at the Merlin Group, saying, "This is a patch-now — not patch-soon — vulnerability," and tied the issue to CVE-2026-50751.

BleepingComputer added that CISA ordered Federal Civilian Executive Branch agencies to secure their devices by June 11, and described the flaw as enabling unauthenticated remote attackers to bypass authentication and establish a remote access VPN connection.

Check Point said the exploitation has been limited to a few dozen targeted organizations globally, and TechCrunch reported that the ransomware group Qilin was actively exploiting the unpatched flaw.

TechCrunch said the hacks began on May 7 and that CISA ordered all civilian federal agencies to fix instances where agencies were using the affected products by end of day June 11.

Numerama

SC Media described CVE-2026-50751 as a CVSS 9.3 flaw and said it allows attackers to establish a Check Point VPN session without valid credentials under certain configurations.

SC Media quoted Hartman explaining the bypass as enabling "a path through the organization’s front door," and it said a Qilin ransomware affiliate has already been linked to post-compromise activity.

Rescana framed the same urgency around a three-day emergency directive and said the vulnerability enables unauthenticated remote attackers to bypass authentication and gain access to internal networks via Check Point Remote Access VPN and Mobile Access gateways.

CISA’s directive is tied to Binding Operational Directive (BOD) 22-01, and BleepingComputer said CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog.

“Executive Summary The U”

Rescana

BleepingComputer quoted CISA urging action by saying, "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

SC Media said the vulnerability only affects deployments still running the deprecated IKEv1 key exchange protocol and quoted Denis Calderone, principal and CTO at Suzu Labs, calling it a "patch now" situation.

SC Media also said Calderone recommended teams immediately apply Check Point's Hotfix 1, disable IKEv1, and enforce IKEv2 for remote access VPN connections.

The Tech Buzz added that federal IT teams had 72 hours to identify every affected system, test patches, and deploy them without disrupting critical operations, while noting Check Point released patches and mitigation guidance.