Nuclei template: CVE-2026-50751.yaml

Research page generated from configured evidence sources. Treat this as an analyst workbench: facts are sourced, gaps are labelled, and low-confidence chatter is separated from confirmed evidence.

Executive judgement

• Operational lane: review now
• Priority score: 100
• Confidence: high
• Exploit status: ransomware — Ransomware-associated exploitation signal observed in configured sources.
• Urgent publishable: yes
• CISA KEV: Confirmed in CISA KEV from configured source data.
• Published/observed: 2026-06-08
• EPSS score: 0.4115 (98th percentile)

What happened

Check Point Security Gateway contains an improper authentication vulnerability in IKEv1 key exchange that could allow an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.

Why it matters

• The item was promoted because the pipeline observed: priority score 100, exploit status ransomware, confidence high.
• It has a CVE identifier, so it can be tracked across NVD/CVE.org/vendor/exploit sources.
• No PoC signal was detected by the current pipeline unless shown elsewhere on this page.

Evidence collected

• NVD: nvd
• CISA KEV: cisa_kev
• VULNCHECK XDB: VulnCheck exploit reference
• VULNCHECK XDB: VulnCheck exploit reference
• NUCLEI: Nuclei template: CVE-2026-50751.yaml

Exploitation and PoC status

• Current automated assessment: Ransomware-associated exploitation signal observed in configured sources.
• Public exploit/PoC: No PoC source captured yet by the configured pipeline.
• Exploited in the wild: Configured sources contain active exploitation language.
• Ransomware association: Ransomware-linked signal present.

Exploit references (VulnCheck)

• VulnCheck exploit reference
• VulnCheck exploit reference

Publication / validation flags

• No validation flags from configured gates.

Dark web / low-confidence chatter

• No matching OTX/URLhaus/MalwareBazaar item found in configured low-confidence feeds at generation time.
• This is not proof of absence. It means the current automated sources did not capture relevant underground or malware-feed chatter.

Defender actions

• Disable IKEv1 key exchange on Security Gateways if unused
• Monitor VPN logs for unauthenticated remote access sessions
• Restrict IKEv1 traffic to trusted source IPs only

Analyst note

CISA KEV inclusion plus ransomware exploitation status means defenders should assume real-world attacks are occurring. Prioritize detection of unauthorized VPN connections via the available Nuclei template. Review all Check Point Security Gateway deployments using IKEv1 immediately.

Defender / Sentinel hunting queries

MDE exposure: devices with CVE-2026-50751

Find devices where Microsoft Defender Vulnerability Management reports the CVE.

DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2026-50751"
| project DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, LastSeenTime
| order by VulnerabilitySeverityLevel desc, LastSeenTime desc

MDE edge/service exploitation telemetry triage

Look for unusual network/process activity around exposed edge, OT, or management services. Tune product terms before operational use.

DeviceNetworkEvents
| where Timestamp > ago(14d)
| where RemotePort in (443, 8443, 9443, 8080, 8000, 5000) or LocalPort in (443, 8443, 9443, 8080, 8000, 5000)
| where RemoteUrl has "Nuclei" or InitiatingProcessCommandLine has "Nuclei" or AdditionalFields has "Nuclei" or RemoteUrl has "template" or InitiatingProcessCommandLine has "template" or AdditionalFields has "template" or RemoteUrl has "Check" or InitiatingProcessCommandLine has "Check" or AdditionalFields has "Check" or RemoteUrl has "Point" or InitiatingProcessCommandLine has "Point" or AdditionalFields has "Point" or RemoteUrl has "Gateway" or InitiatingProcessCommandLine has "Gateway" or AdditionalFields has "Gateway" or RemoteUrl has "CVE-2026-50751" or AdditionalFields has "CVE-2026-50751"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, LocalPort, ActionType, AdditionalFields
| order by Timestamp desc

Sentinel identity/M365 suspicious admin and consent activity

Hunt for suspicious identity, OAuth, mailbox, or admin activity linked to this issue/campaign.

AuditLogs
| where TimeGenerated > ago(14d)
| where TargetResources has "Nuclei" or AdditionalDetails has "Nuclei" or OperationName has "Nuclei" or TargetResources has "template" or AdditionalDetails has "template" or OperationName has "template"
| project TimeGenerated, OperationName, Result, InitiatedBy, TargetResources, AdditionalDetails
| order by TimeGenerated desc

Sentinel suspicious sign-in activity

Hunt for suspicious or risky sign-in events linked to this issue (token theft, impossible travel, MFA bypass, etc.).

SigninLogs
| where TimeGenerated > ago(14d)
| where RiskState in ("atRisk", "confirmedCompromised") or AppDisplayName has "Nuclei" or UserDisplayName has "Nuclei" or AppDisplayName has "template" or UserDisplayName has "template"
| project TimeGenerated, UserDisplayName, UserPrincipalName, AppDisplayName, IPAddress, Location, RiskState, RiskDetail, ResultType, ResultDescription, ConditionalAccessStatus
| order by TimeGenerated desc

Exposure validation ideas

• Search asset inventory for affected vendor/product names and any CVE reference.
• Check internet-facing exposure through approved tools only: Shodan/Censys/GreyNoise links below are research starting points, not proof of exposure.
• Prioritise management interfaces, edge devices, identity/control-plane systems, and OT/ICS assets where relevant.

Detection / hunting ideas

• Review vendor logs for authentication failures, privilege changes, unexpected admin activity, and anomalous management-plane access.
• Search SIEM/EDR telemetry for product-specific process names, network services, and newly published indicators from primary sources.
• Monitor for scanner traffic or nuclei/metasploit module references once public exploit tooling appears.

Research links

• NVD
• CVE.org
• CISA KEV search
• GitHub code/advisory search
• GitHub repository search
• Exploit-DB search
• Packet Storm search
• AlienVault OTX search
• GreyNoise search
• Shodan search
• Censys search

Open questions

• Is there a primary vendor advisory with exact affected versions and fixed versions?
• Has CISA KEV, Shadowserver, GreyNoise, or a trusted vendor confirmed exploitation?
• Are there credible PoC repositories or only secondary reporting mentioning PoC?
• Is there underground/forum/leak-site discussion, or only public reporting?

Generated: 2026-06-18T16:20:07+00:00