Decoding the world of cybersecurity

Another reminder that retired protocols are an active risk

Check Point’s exploited VPN flaw shows how deprecated remote access protocols can remain live inside security infrastructure long after retirement should have removed them.

Another reminder that retired protocols are an active risk
Summary
  • Check Point disclosed active exploitation of CVE-2026-50751, affecting VPN deployments configured with deprecated IKEv1.
  • NHS England issued a high-severity alert because successful exploitation could allow a VPN session without a valid password.
  • Retired protocols become governance failures when they remain externally reachable, poorly owned, and treated as harmless compatibility settings.

Remote access infrastructure often outlives the assumptions under which it was deployed. Protocols retained for compatibility, appliances carried through upgrade cycles, and inherited VPN settings can remain in production long after the risk they create is understood. A feature considered legacy by engineers becomes an active route into the organisation when it remains reachable from the internet.

Check Point’s recent VPN vulnerability is another reminder of that gap between deprecation and removal. The company disclosed active exploitation of CVE-2026-50751, a critical authentication bypass affecting Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate validation, an attacker could establish a VPN session without a valid password.

The vendor said additional post-authentication activity would still be needed to reach internal resources or escalate privileges, which limits how the flaw should be described. It is not automatic control of an internal network. The access path is still serious. A remote user able to establish a VPN session without satisfying normal password requirements has crossed one of the boundaries that organisations rely on to separate external exposure from internal systems.

NHS England issued a high-severity cyber alert on 8 June, warning that successful exploitation could allow an attacker to establish a VPN session without a valid password. The alert identified the specific vulnerable conditions: remote access or Mobile Access enabled, IKEv1 enabled for remote access, gateways accepting legacy Remote Access clients, and gateways not demanding a machine certificate for connections. It also noted that SSL VPNs, firewalls, and other edge devices are attractive targets because they are internet-facing by design.

The issue extends beyond one vendor flaw. Check Point said the exploitation it observed had been limited to a few dozen targeted organisations globally, with one case involving post-compromise activity associated with a Qilin ransomware affiliate. Those details give the incident a clear security context, but the wider pattern is familiar. Security appliances, VPN gateways, firewalls, and remote access products are often treated as trusted infrastructure once deployed. Their configuration state may receive less scrutiny than their presence on an asset list.

Deprecated does not mean disabled. In large organisations, older protocols may survive because removing them could interrupt access for a small but important group of users. A remote support supplier may still rely on an older client. A specialist system may have been integrated years earlier and never fully retested. A merger, outsourcing arrangement, or managed service handover may leave inherited settings in place because no one has a complete view of dependency. Compatibility becomes a standing exception when ownership is unclear.

Regulated sectors make that problem harder. Healthcare, energy, transport, finance, and public services cannot treat remote access as a convenience layer. It can support clinical maintenance, supplier diagnostics, emergency administration, field operations, and after-hours support. Shutting off a protocol without understanding dependency can create immediate operational risk. Leaving it enabled without ownership creates latent security risk. The work sits between those two pressures: making exceptions visible, time-bound, and governed.

VPNs also occupy an awkward place in modern architecture. Many organisations now use the language of zero trust, device posture, conditional access, identity governance, and least privilege. Traditional VPN infrastructure can still operate as a broad entry point into internal networks, especially where segmentation and monitoring remain uneven. A VPN session is not the same as full compromise, but it can make an external actor look more like a legitimate network participant. From there, the quality of identity controls, logging, internal segmentation, endpoint management, and privileged access governance determines the blast radius.

Retired protocols need to be treated as governance issues, not only technical settings. The relevant concern is not whether IKEv1 is old; that has been understood for years. The concern is whether the organisation knows where it remains active, who approved its continued use, when that approval expires, which systems depend on it, and whether compensating controls have been tested. Without ownership, deprecation becomes a label rather than a control.

Vendor responsibility sits alongside customer responsibility. Vendors know that legacy protocol support can linger because customers need migration time. Clear warnings, secure defaults, configuration visibility, and practical migration routes are part of that lifecycle. Where a product allows risky settings to remain enabled, customers need to see that risk in the management plane, not discover it only when an advisory is published. End-of-support versions, legacy clients, certificate requirements, and protocol choices should be visible to administrators and intelligible to risk owners.

Customers, in turn, need to stop treating security gateways as static appliances. Firewall and VPN estates should be reviewed for exposed services, protocol versions, authentication modes, legacy clients, administrator accounts, and supplier access routes. Managed service providers should be required to document legacy dependencies, not simply maintain availability. Procurement and renewal processes should test how vendors handle deprecation, how long legacy features remain supported, and whether risky configurations can be reported centrally.

The NHS alert shows how quickly a vendor vulnerability becomes a sector issue when remote access infrastructure is involved. An advisory may begin with a product name and a CVE, but the operational response requires asset discovery, configuration review, change approval, forensic log checks, supplier coordination, and executive awareness where critical services may be exposed. In many environments, finding affected configurations is harder than applying the hotfix.

Retired protocols become dangerous when they remain trusted, externally reachable, and poorly owned. They sit in the space between technical debt and operational dependency, where migration is known to be desirable but difficult to execute without authority, budget, and confidence. The Check Point exploitation is not surprising. It is a current example of how remote access risk accumulates in settings that survive because they have not yet broken anything.

×