Qilin Ransomware and CVE-2026-50751: How Threat Actors Weaponized Check Point VPN Infrastructure
Ransomware operators continue to evolve their attack methodologies by leveraging newly disclosed vulnerabilities in internet-facing infrastructure to gain unauthorized access to enterprise environments. Modern Ransomware-as-a-Service (RaaS) groups increasingly combine vulnerability exploitation, credential abuse, data theft, and double-extortion tactics to maximize operational impact and financial gain.
One such threat is Qilin ransomware, a RaaS operation that has emerged as one of the most active ransomware groups globally. Security researchers have recently linked Qilin affiliates to the exploitation of vulnerable Check Point VPN deployments, demonstrating the group's ability to rapidly weaponize newly disclosed vulnerabilities to obtain initial access to victim networks.
Background of Qilin
Qilin is a Ransomware-as-a-Service operation that first emerged in 2022. Initially developed using the Go programming language, the malware later evolved into a Rust-based ransomware platform designed to provide enhanced flexibility and evasion capabilities.
Researchers have observed Qilin employing double-extortion tactics, whereby sensitive data is exfiltrated before encryption. Victims are subsequently threatened with public disclosure of stolen information if ransom demands are not met.
Vulnerability Details
| CVE ID | CVSS Score | EPSS Score | Affected Products | Affected Versions |
|---|---|---|---|---|
| CVE-2026-50751 | 9.3 (Critical) | 11.84% | Mobile Access / SSL VPN, Remote Access VPN, Spark Firewall | R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10 |
| CVE-2026-50752 | 7.4 (High) | 0.03% | Security Gateways, Spark Firewall | R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10 |
Infection Method
Based on observed post-exploitation activity, researchers assess with medium confidence that the threat actor responsible for exploiting CVE-2026-50751 is financially motivated and associated with Qilin ransomware operations. The actor has also been linked to the exploitation of other VPN-related vulnerabilities affecting products from Palo Alto Networks, Fortinet, and F5, indicating a broader focus on targeting internet-facing remote access infrastructure.
Following successful access, affiliates typically establish persistence, perform internal reconnaissance, harvest credentials, move laterally through the environment, and identify high-value systems prior to ransomware deployment. Researchers also observed indicators suggesting the use of the Tox peer-to-peer communication protocol, a technique commonly associated with financially motivated ransomware groups.
The actor leveraged dedicated virtual private server (VPS) infrastructure to conduct attacks, including systems hosted by providers such as Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. In some cases, the geographic location of the VPS infrastructure appeared to align with the targeted organization's region. For example, attacks targeting organizations in Taiwan were observed originating from infrastructure geolocated within Taiwan.
The ransomware ultimately encrypts victim systems and combines the attack with data theft operations to facilitate double-extortion demands.
Indicators of Compromise (IOCs)
Malicious IP Addresses
- 45.77.149[.]152
- 209.182.225[.]136
- 38.60.157[.]139
- 162.33.177[.]101
- 45.76.26[.]42
- 144.208.127[.]155
- 38.54.88[.]201
- 38.54.107[.]167
- 66.42.99[.]200
- 45.63.104[.]106
- 45.61.136[.]173
- 146.71.81[.]184
- 208.123.119[.]167
- 64.176.228[.]109
- 158.247.195[.]147
- 144.208.127[.]134
Indicators
MITRE ATT&CK Mapping
| Tactic ID | Technique ID |
|---|---|
| TA0001 - Initial Access | T1133 - External Remote Services |
| TA0003 - Persistence | T1078 - Valid Accounts |
| TA0007 - Discovery | T1082 - System Information Discovery |
| TA0008 - Lateral Movement | T1021 - Remote Services |
| TA0009 - Collection | T1005 - Data from Local System |
| TA0010 - Exfiltration | T1041 - Exfiltration Over C2 Channel |
| TA0005 - Defense Evasion | T1027 - Obfuscated/Compressed Files and Information |
| TA0002 - Execution | T1059 - Command and Scripting Interpreter |
| TA0040 - Impact | T1486 - Data Encrypted for Impact |
Mitigation
- 1. Apply the latest Check Point hotfixes addressing CVE-2026-50751 and CVE-2026-50752 on all affected Security Gateways and Spark appliances.
- 2. Disable the deprecated IKEv1 protocol wherever possible and migrate VPN configurations to IKEv2, which provides stronger security controls and is not affected by these vulnerabilities.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.