Exploit for Improper Authentication in Checkpoint Gaia_Os CVE-2026-50751

Name: Exploit for Improper Authentication in Checkpoint Gaia_Os CVE-2026-50751
Rating: 5 (9 reviews)
2026-06-16 | CVSS 9.3
## https://sploitus.com/exploit?id=1887B5CB-F35E-509F-992F-1B55A688FF1D
# CVE-2026-50751 Scanner

Multi-target detection scanner for [CVE-2026-50751](https://www.cvedetails.com/cve/CVE-2026-50751) -- Check Point IKEv1 Remote Access VPN certificate-authentication bypass.

> **Authorization Required:** Only scan assets you own or are explicitly authorized to test. This tool is for defensive validation only.

---

## Vulnerability Overview

**CVE-2026-50751** is an authentication bypass on VPN Remote Access and Mobile Access in deprecated IKEv1 key exchange.

| Field | Value |
|---|---|
| **CVSS Score** | 9.3 (Critical) |
| **CVSS Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| **Exploited in the wild** | Yes |
| **Check Point SK** | [sk185033](https://support.checkpoint.com/results/sk/sk185033) |

### Affected Products

- Mobile Access / SSL VPN
- Remote Access VPN
- Spark Firewall

### Affected Versions

| Version | Status |
|---|---|
| R80.20.X | End of Support |
| R80.40 | End of Support |
| R81 | End of Support |
| R81.10 | End of Support |
| R81.10.X | |
| R81.20 | |
| R82 | |
| R82.00.X | |
| R82.10 | |

### Technical Details

CVE-2026-50751 exploits a logic flow weakness in the IKEv1 certificate validation. The vulnerable `iked` process reads attacker-controlled flags from the `VPNExtFeatures` Vendor ID (bit 0x4), which causes `verify_peer_auth` to skip the `verifyMessagePhase1` check. This means:

- The certificate's signature (proof of possession) is **not verified**.
- The certificate's trust chain is **not verified**.
- Only the subject DN (username) is checked against provisioned Remote-Access users.

An attacker can forge a self-signed certificate with the target username and establish a VPN session without a private key, password, or valid certificate.

---

## Scanner

This tool is a **safe multi-target scanner** that performs the original detection logic against multiple hosts concurrently. It does not add exploitation beyond the original detection behavior.

### What It Does

- Sends IKEv1 Main Mode messages with a forged self-signed certificate.
- Reports whether the target accepts the forged certificate flow.
- Supports UDP (500/4500) and TCP/TCPT (443 Visitor Mode).
- Auto-derives the ICA organization from the gateway's public TLS certificate on port 443.
- Outputs results in text, JSON, and log file formats.

### What It Does NOT Do

- No Phase 2 VPN negotiation.
- No XAUTH password attempts.
- No credential guessing or brute force.
- No stealth, evasion, or rate-limit bypassing.
- No packet flooding.
- No post-auth actions or tunneling.

### Safety Controls

| Control | Default | Notes |
|---|---|---|
| Concurrency | 1 | Max 5 without `--force-high-concurrency` |
| Retries | 0 | Max 2 |
| Delay | 2.0s | Between target submissions |
| Timeout | 8.0s | Per target |

---

## FOFA Dork

To discover Check Point SSL Network Extender gateways on the internet:

```
app="Check_Point-SSL-Network-Extender"
```

> **Note:** Only scan assets you own or have explicit authorization to test.

## Prerequisites

- Python 3.10+
- `cryptography` library

```bash
pip install cryptography
```

---

## Usage

### Basic Usage

```bash
# Single target (backwards-compatible)
python exploit_poc.py -rh vpn.company.com -u oracle --json-out results.json --log-file scan.log

# Multiple targets
python exploit_poc.py --target vpn1.company.com --target 10.1.2.3 -u oracle

# From file (one target per line)
python exploit_poc.py --targets-file targets.txt -u oracle
```

### Dry Run (No Packets Sent)

```bash
python exploit_poc.py --targets-file targets.txt -u oracle --dry-run
```

### Output Options

```bash
# JSON results + text log
python exploit_poc.py --targets-file targets.txt -u oracle \
    --json-out results.json --log-file scan.log
```

### Visitor Mode (TCP/443 TCPT)

```bash
python exploit_poc.py --target vpn.company.com -u oracle --tcpt
# or
python exploit_poc.py --target vpn.company.com -u oracle -rp 443
```

### High Concurrency (Requires Explicit Flag)

```bash
python exploit_poc.py --targets-file targets.txt -u oracle \
    --concurrency 10 --force-high-concurrency --delay 1
```

### Custom Organization (Skip TLS Auto-Derive)

```bash
python exploit_poc.py --target vpn.company.com -u oracle --org "MyCompany"
```

---

## Target Input

Targets can be specified via:

| Option | Description |
|---|---|
| `--target HOST` | Single target (repeatable) |
| `-rh HOST` | Single target (backwards-compatible alias) |
| `--targets-file FILE` | File with one target per line |

**Targets file format:**
- One target per line.
- Lines starting with `#` are comments.
- Blank lines are ignored.

---

## Result Statuses

| Scanner Status | Meaning |
|---|---|
| `possibly_vulnerable` | Gateway accepted the forged cert (CVE-2026-50751 likely present) |
| `not_vulnerable_or_patched` | Gateway rejected the forged cert (patched or username not provisioned) |
| `not_ike_or_no_cert_realm` | No IKE service or gateway not in certificate auth mode |
| `not_reachable` | DNS resolution failed or connection refused |
| `inconclusive` | No decisive response (rate-limited or dropped) |
| `error` | Unexpected exception occurred |

### Exit Codes

| Code | Meaning |
|---|---|
| 0 | Scan complete, no vulnerabilities found |
| 1 | Scan complete, one or more `possibly_vulnerable` results |
| 2 | Argument/safety error |
| 3 | Fatal error |

---

## Command-Line Options

### Target Options

| Option | Type | Default | Description |
|---|---|---|---|
| `-rh`, `--rhost` | string | None | Single remote host (backwards-compatible) |
| `--target` | string | None | Target host (repeatable) |
| `--targets-file` | string | None | File with one target per line |

### Connection Options

| Option | Type | Default | Description |
|---|---|---|---|
| `-rp`, `--rport` | int | 500 | Remote port (UDP 500/4500, TCP 443 for Visitor Mode) |
| `-t`, `--timeout` | float | 8.0 | Timeout in seconds |
| `--tcpt` | flag | False | Use Check Point Visitor-Mode TCPT tunnel |

### Authentication Options

| Option | Type | Default | Description |
|---|---|---|---|
| `-u`, `--username` | string | **Required** | Remote-Access username to impersonate |
| `--org` | string | Auto-derive | ICA organization (O=) DN suffix |
| `--ou` | string | users | OU= component of the user DN |
| `-r`, `--retries` | int | 0 | msg1 retries (max: 2) |

### Scanner Safety Options

| Option | Type | Default | Description |
|---|---|---|---|
| `--dry-run` | flag | False | Print targets and exit without scanning |
| `--concurrency` | int | 1 | Max concurrent targets (max 5 without `--force-high-concurrency`) |
| `--force-high-concurrency` | flag | False | Allow concurrency 6-20 |
| `--delay` | float | 2.0 | Seconds between target submissions |

### Output Options

| Option | Type | Default | Description |
|---|---|---|---|
| `--json-out` | string | None | Write JSON results to file |
| `--log-file` | string | None | Append text log lines to file |
| `-v`, `--verbose` | flag | False | Verbose output |

---

## Example Output

```
[*] CVE-2026-50751 Check Point IKEv1 RA VPN Multi-Target Scanner
[*] Detection only -- no exploitation beyond original detection logic.

[!] Only scan assets you own or are authorized to test.
[*] Targets: 3 | Port: 500 | Transport: udp
[*] Concurrency: 1 | Delay: 2.0s | Timeout: 8.0s | Retries: 0

[possibly_vulnerable] vpn1.company.com udp/500 3.42s
[not_vulnerable_or_patched] vpn2.company.com udp/500 2.18s
[not_reachable] 10.1.2.3 udp/500 1.05s Connection failed: [Errno 111] Connection refused

[*]
[*] Summary:
[*]   possibly_vulnerable: 1
[*]   not_vulnerable_or_patched: 1
[*]   not_ike_or_no_cert_realm: 0
[*]   not_reachable: 1
[*]   inconclusive: 0
[*]   error: 0
```

---

## JSON Output Format

```json
[
  {
    "target": "vpn.company.com",
    "resolved_ip": "203.0.113.10",
    "port": 500,
    "transport": "udp",
    "tcpt": false,
    "username": "oracle",
    "status": "possibly_vulnerable",
    "runner_status": "BYPASSED",
    "started_at": "2026-06-16T12:34:56Z",
    "finished_at": "2026-06-16T12:35:01Z",
    "duration_seconds": 5.1,
    "error": null
  }
]
```

---

## Log File Format

```
2026-06-16T12:34:56Z target=vpn.company.com ip=203.0.113.10 transport=udp port=500 status=possibly_vulnerable duration=5.1 error=
```

---

## Security Considerations

### Authorization

- Only scan assets you own or have explicit written authorization to test.
- Check Point has observed active exploitation of CVE-2026-50751 in the wild.
- Vulnerable systems may be actively targeted by threat actors.

---

## Mitigation

Apply the Check Point hotfix described in [sk185033](https://support.checkpoint.com/results/sk/sk185033).

Additionally:

- Disable IKEv1 if not required; use IKEv2 instead.
- Restrict IKE access via firewall rules to trusted management networks.
- Monitor for active exploitation indicators.

---

## License

This tool is provided for defensive security testing and authorized vulnerability detection only.

---

## Credits

Based on the original detection script by [watchTowrlabs](https://github.com/watchtowrlabs/watchTowr-vs-Check-Point-CVE-2026-50751).