VPNs Under Fire: Check Point (Qilin) and Cisco SD-WAN, Two Zero-Days Exploited in June 2026

The week of June 8, 2026 was a brutal one for network teams. Two major remote-access vendors — Check Point and Cisco — released, one after the other, patches for vulnerabilities that were already being exploited in the wild. In both cases, the entry point is exactly the one you defend first: the VPN gateway and the SD-WAN controller — in other words, the front door of the network and the cockpit of the entire infrastructure.

For an administrator, these two flaws share an unpleasant lesson: applying the patch is not enough. When a VPN has been bypassable for weeks and a ransomware operator was already at work, the fix shuts the door but does not evict an intruder who is already inside. Let's break down both cases.

Check Point CVE-2026-50751: the IKEv1 VPN bypassed, Qilin at the helm

On June 8, 2026, Check Point released a hotfix rated "important" for a critical authentication flaw affecting its remote-access gateways. CVE-2026-50751, scored CVSS 9.3, is an improper authentication issue (CWE-287) that allows an attacker to establish a VPN session without presenting valid credentials.

Root cause: a deprecated protocol that was never turned off

The vulnerability only affects configurations that still rely on IKEv1, the first version of the IPsec key-exchange protocol, deprecated for years in favor of IKEv2. In practical terms, a logic flaw in certificate validation during the IKEv1 key exchange lets an attacker negotiate a session without clearing the authentication step. The affected deployments are Remote Access VPN and Mobile Access configured with IKEv1, as well as the Spark line of firewalls.

It is the classic scenario of technical debt turning into attack surface: a legacy protocol left enabled "just in case" some old clients still need it, which then becomes the weak link. Along the way, researchers identified a second flaw, CVE-2026-50752 (CVSS 7.4), enabling a man-in-the-middle attack on site-to-site VPN tunnels running IKEv1.

Active exploitation: the fingerprint of Qilin

What makes this case urgent is the ongoing exploitation. According to the analyses, the flaw has been exploited since May 7, 2026, with a spike in activity in early June and several dozen organizations affected. Attribution points, with medium confidence, to an affiliate of Qilin — a ransomware-as-a-service formerly known as "Agenda," credited with several hundred victims.

The post-exploitation playbook is typical of a mature ransomware actor: once the VPN tunnel is established without authentication, data is exfiltrated via Rclone and command-and-control is handled over the Tox protocol. CISA added CVE-2026-50751 to its KEV (Known Exploited Vulnerabilities) catalog the very same day, with a remediation deadline of June 11 for U.S. federal agencies — a signal of how urgent this is.

Affected versions and remediation

The scope spans several branches, including (non-exhaustive list) R82.10, R82 and R81.20 on hotfix levels below the fixed Takes. Four end-of-life branches (R80.20, R80.40, R81, R81.10) are also affected and will not all receive a fix — one more reason to migrate.

The action plan:

1. Apply the hotfix immediately (references sk185033 / sk185035 depending on the platform).
2. Migrate from IKEv1 to IKEv2 and fully disable legacy clients: that is the real, root-level fix.
3. Make the machine certificate mandatory and enable the relevant IPS signatures.
4. Launch a threat hunt going back to May 7: the patch does not remediate a prior compromise. Look for abnormal VPN sessions, traces of Rclone, and any outbound Tox traffic.

This case is a reminder of the fundamentals I covered in my guide on SSH hardening best practices: disabling what you don't use is just as important as protecting what you do.

Cisco Catalyst SD-WAN: root on the controller, with no patch at disclosure

A few days earlier, on June 5, 2026, Cisco published an advisory for CVE-2026-20245 (CVSS 7.8), a command injection in the CLI of Catalyst SD-WAN Manager (and its Controller and Validator components). A specially crafted file, uploaded through the interface, triggers command execution with root privileges due to insufficient input validation.

Why CVSS 7.8 understates the danger

Taken in isolation, the score looks moderate: exploitation requires authenticated netadmin privileges. But it is when chained that this flaw becomes devastating. It is combinable with earlier, maximum-score vulnerabilities:

• CVE-2026-20127 (CVSS 10.0): authentication bypass that yields a netadmin account.
• CVE-2026-20182 (CVSS 10.0): SSH key injection into the vmanage-admin account via the vdaemon (DTLS/UDP 12346).

The full chain is clear and catastrophic: initial access → authentication bypass to obtain netadmin → CVE-2026-20245 to escalate to root → pushing a malicious configuration to every managed edge device. In other words, compromising the SD-WAN Manager means compromising the entire wide-area network in one shot.

Confirmed exploitation, discovered by Mandiant, no immediate fix

Cisco confirmed in-the-wild exploitation, with observed cases of malicious configurations pushed to edge devices. The flaw was discovered by the Google Mandiant teams, and Cisco Talos ties the activity to the actor tracked under the identifier UAT-8616. An aggravating detail: at disclosure there was neither a fix nor a workaround for CVE-2026-20245 — it is the 7th SD-WAN zero-day of the year.

In the meantime, Cisco recommends applying the fixes for the already-available chainable flaws (notably CVE-2026-20182, patched on May 14), hardening access, and collecting a request admin-tech before any update to preserve evidence. On the detection side, monitor /var/log/scripts.log for suspicious file uploads and command executions.

What these two flaws say about your perimeter

Beyond the CVE numbers, both cases converge on the same conclusion. Edge devices — VPNs, SD-WAN controllers, gateways — concentrate both the most value for an attacker and the most configuration complexity. They are exposed to the Internet by design, often run software versions no one dares update for fear of cutting off access, and ship with legacy protocols enabled by default.

Three reflexes to industrialize:

• Inventory and turn off the legacy. IKEv1, old VPN clients, obsolete management protocols: if it isn't used, it must be disabled, not merely "not configured."
• Treat CISA's KEV as a priority queue. A CVE that lands there is being exploited right now; the federal deadline is a good proxy for your own urgency.
• Patch, then hunt. For any flaw exploited before a fix was available, assume a compromise may have occurred and run a retrospective investigation over the exposure window.

FAQ

I run IKEv2 on my Check Point gateways — am I vulnerable to CVE-2026-50751?

No. The flaw only affects Remote Access VPN and Mobile Access deployments configured with IKEv1, as well as Spark firewalls. IKEv2-only configurations are not exposed to this vector. That is precisely why migrating to IKEv2 and disabling IKEv1 is the recommended root-level remediation.

Is the Check Point hotfix enough to protect me if I've been exposed since May?

No. The fix closes the vulnerability but does not eliminate an attacker already present in the network. Since the flaw has been exploited since May 7, 2026, any exposed organization must run a threat hunt covering that window: abnormal VPN sessions, use of Rclone for exfiltration, and command-and-control traffic over the Tox protocol.

Why is Cisco's CVE-2026-20245 so dangerous despite a CVSS of "only" 7.8?

Because the standalone score does not reflect the chaining potential. Combined with already-known CVSS 10.0 authentication bypasses (CVE-2026-20127, CVE-2026-20182), it enables escalation from initial access to root on the SD-WAN Manager, then pushing a malicious configuration to every edge device. The real risk is a total compromise of the wide-area network.

How do I detect exploitation on Cisco Catalyst SD-WAN Manager?

Monitor /var/log/scripts.log for unusual file uploads and command executions. Also look for unplanned configuration changes pushed to edge devices. Before any update, collect a request admin-tech to preserve the system state for forensic investigation.

Conclusion

Two vendors, two weeks, one and the same message: the network edge is the front line. Check Point's CVE-2026-50751 and Cisco's CVE-2026-20245 are not theoretical flaws — they are being exploited, one by an established ransomware operator, the other by an actor tracked by Mandiant. In both cases, the defensive value lies not only in how fast you patch, but in your ability to turn off the legacy upstream and to investigate downstream. Check your IKEv1 configurations, apply the available chainable Cisco fixes, and treat any exposure window as a potential compromise until proven otherwise.