Summary
- NHS England warned that CVE-2026-50751 can allow a VPN session without a valid password under specific Check Point configurations.
- Check Point says exploitation has been observed in the wild and affects Remote Access VPN, Mobile Access, and Spark Firewall deployments using deprecated IKEv1.
- The case reinforces the ransomware exposure created by internet-facing edge devices, legacy remote-access settings, and weak configuration assurance.
NHS England Digital has issued a high-severity cyber alert for an actively exploited Check Point VPN vulnerability that can allow attackers to establish remote-access sessions without a valid password under specific legacy configurations.
The alert, published on 8 June, concerns CVE-2026-50751, a critical improper authentication vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. The affected conditions include VPN Remote Access or Mobile Access being enabled, IKEv1 being enabled for remote access, gateways accepting legacy Remote Access clients, and gateways not requiring a machine certificate for connections.
Check Point said its researchers had identified active exploitation of the vulnerability. By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possessing a valid password, bypassing authentication requirements. Additional post-authentication activity would still be required to access internal resources or escalate privileges.
Observed exploitation has been limited to a few dozen targeted organisations globally, according to Check Point. One case involved confirmed post-compromise activity associated with a Qilin ransomware affiliate, with the company assessing at medium confidence that the actor exploiting the vulnerability is financially motivated and uses Qilin ransomware. NHS England’s alert attributes the observed activity to the Qilin ransomware-as-a-service operation.
The advisory also covers CVE-2026-50752, a high-severity certificate validation weakness affecting deprecated IKEv1 site-to-site VPN connections under specific conditions. Check Point said it had not observed exploitation of that second vulnerability in the wild. The hotfix for CVE-2026-50751 also remediates CVE-2026-50752.
SSL VPNs, firewalls, and other edge devices remain exposed by design, sitting at the boundary between the public internet and internal systems. When authentication bypass flaws emerge in those products, especially in legacy configurations, organisations may have only a short period between disclosure, weaponisation, and attempted intrusion.
Healthcare providers and suppliers face particular pressure because remote access is embedded in daily operations. Clinical support, outsourced IT, third-party maintenance, and administrative workflows all depend on reliable access paths. A VPN flaw does not need to be universally exploitable to create material risk. A narrow configuration issue can still be serious when legacy settings persist in forgotten appliances, end-of-support versions, or supplier-managed environments.
NHS England’s alert encourages affected organisations to review Check Point security advisories, perform compromise assessment, search for indicators in SmartConsole and network logs, and apply the relevant hotfix as soon as possible. Organisations running end-of-support versions are also told to upgrade to a supported release.
The incident follows a wider pattern of edge-device exploitation by ransomware affiliates. Attackers have repeatedly targeted VPNs, firewalls, secure gateways, and remote-management appliances because these systems can provide authenticated network footholds without requiring an initial phishing success. Patch management helps only when organisations can rapidly identify vulnerable configurations, confirm whether deprecated protocols remain active, and determine whether devices have already been probed or abused.
The remediation work is immediate, but the assurance problem lasts longer. Boards and risk owners are increasingly expected to understand not only which security products are deployed, but how they are configured, whether supplier-managed access is governed, and whether logs can support a credible compromise assessment after emergency patching.





