Intruvent EDGE: Ransomware Just Started Using Zero-Days. The Patch Window Is Now Gone.
The most prolific ransomware crew of 2026 spent zero-day money to get inside your VPN. Here is what that changes for how you defend the edge.
For years, the deal with ransomware was simple. The affiliates were opportunists. They swept the internet for unpatched Fortinet boxes, aging Veeam servers, and SonicWall appliances that someone forgot to update. If you patched inside the vendor’s window and stayed current with CISA’s Known Exploited Vulnerabilities catalog, you were faster than the criminals. That was the whole strategy: do not be the slowest gazelle.
In June 2026, the most prolific ransomware operation on earth broke that deal. Qilin exploited a Check Point VPN vulnerability that was live in the wild for a full month before the vendor disclosed it. There was no patch to be behind on. The window you were supposed to beat did not exist yet.
This is the capability that used to belong to nation-states. It now belongs to a criminal enterprise that claimed roughly 141 organizations in a single trailing 30-day window, more than double its closest competitor. Here is what happened, why it matters more than the CVE score suggests, and what to do about an edge device you have been treating as trustworthy.
What Happened
On June 8, 2026, Check Point disclosed CVE-2026-50751, a critical authentication bypass in its Security Gateway product. The flaw is pretty technical, but the short version is that an unauthenticated remote attacker can jump onto that system without a valid password.
The disclosure date is not the important date. The important date is May 7, one month earlier, which is when exploitation in the wild actually began. For a full month, attackers were bypassing authentication on internet-facing Check Point VPNs while the vulnerability had no CVE, no advisory, and no hotfix. That is the definition of a zero-day: exploited before the defender had any way to know it existed.
The attribution is not ours to claim. Check Point Research assesses with medium confidence that the actor is a financially motivated operator using Qilin ransomware, based on binary analysis of the ELF payloads the attacker pulled from its own infrastructure after each bypass. Rapid7 independently corroborated two high-confidence cases, and watchTowr Labs published the root-cause analysis of the flaw. If that attribution holds, this is the first confirmed instance of Qilin operating on a zero-day, which reframes the group from a fast follower into something closer to an advanced persistent threat with a profit motive.
Why a Zero-Day Changes the Ransomware Math
To understand why this matters, look at how ransomware affiliates have historically gained initial access. The playbook was n-day exploitation: wait for a vulnerability to be disclosed, reverse-engineer the patch, and race to exploit the organizations that had not applied it yet. The entire model depended on defender slowness. Akira built a franchise on exactly this, sweeping unpatched SonicWall (CVE-2024-40766) and FortiOS (CVE-2024-55591) appliances that lagged on updates.
Against n-day exploitation, patching works. It is a race, and diligent teams win it. The organizations that get hit are the ones that fell behind.
Zero-day exploitation inverts the entire relationship. There is nothing to patch, no advisory to read, no KEV entry to prioritize. Every Check Point Remote Access VPN running IKEv1 was exploitable on May 7, and the most current, most diligent, most well-resourced security team in the world was exactly as exposed as the one that never patches anything. Speed stopped being a defense.
This capability is expensive. Developing or acquiring a working zero-day against enterprise VPN infrastructure implies either in-house exploit development or a purchase from an initial access broker with serious resources. Ransomware groups have historically not spent money this way because they did not need to. n-day exploitation was cheap and it worked. Qilin choosing to operate at this level is a signal about where the economics of the top-tier ransomware operations have gone.
Who Is Qilin
Qilin has held the top of the ransomware leaderboard for five straight months through May 2026. The numbers, drawn from public leak-site tracking are staggering. In one trailing 30-day window they claimed to have hit 141 organizations across at least 25 countries, more than double the next-most-active group. They posted 101 victims in May alone, the fifth consecutive month above 100, for 546 claimed victims through the first five months of the year. One caveat that public trackers stress: Qilin averages roughly 46 days between an attack and the leak-site listing, so today’s numbers reflect intrusions from one to two months ago and June’s total is still filling in.
Three structural facts make Qilin more dangerous than the raw victim count suggests.
It runs as a cartel. Since September 2025, Qilin has operated alongside LockBit and DragonForce in a shared arrangement, pooling affiliates and infrastructure. An affiliate who breaks into your network may deploy whichever of the three encryptors is operationally convenient. This also insulates the operation against takedown pressure, because dismantling one brand does not remove the shared affiliate pool or tooling.
It pays affiliates well. Qilin reportedly offers operators a revenue split as high as 85 percent, which pulls skilled affiliates out of defunct operations and concentrates talent. A group that attracts the best affiliates and now supplies them with a VPN zero-day is a materially different threat than a commodity ransomware brand.
It targets the edge. Qilin’s access pattern centers on internet-facing appliances: VPNs, backup infrastructure, and remote access gateways. CVE-2026-50751 fits this pattern precisely, and Check Point gateways sit at the IT and OT boundary in energy utilities, manufacturers, and industrial operators. An authentication bypass on that device is unauthenticated access to the exact chokepoint that is supposed to enforce perimeter trust.
Why Traditional Controls Miss the Front End of This Attack
The encryption stage of a Qilin attack is loud and obvious. The initial access stage, through this vulnerability, is quiet in a way that defeats most of the controls organizations rely on.
The authentication looks successful because it is. The attacker establishes a valid VPN session. From the gateway’s perspective, a Remote Access connection was negotiated and accepted. There is no failed-login spike to alert on, because the bypass produces a successful authentication event, not a brute-force pattern.
The vulnerable protocol is one most teams forgot they were running. IKEv1 is deprecated. Many organizations enabled it years ago for legacy client compatibility and never turned it off. It sits in the configuration, unused and unwatched, until it becomes the entry point.
Patch-cadence metrics gave false comfort. A team measuring itself on mean-time-to-patch against KEV deadlines looked healthy through the entire month of exploitation. There was nothing to patch. The metric that was supposed to measure exposure was blind to it.
The edge device is trusted by design. The VPN gateway is the thing that establishes trust for everything behind it. Once an attacker is through it with a valid session, they are inside the boundary that most internal monitoring assumes is friendly.
Detection and Hunting
Because there was a month of pre-disclosure exploitation, patching now is necessary but not sufficient. If you run Check Point Remote Access VPN with IKEv1, you must hunt the pre-patch window, not just apply the hotfix. The queries below are written generically. Adapt field names to your VPN and SIEM schema.
Start at the network layer. The exploit lives in a single malformed IKEv1 packet. watchTowr Labs traced the root cause to the VPNExtFeatures Vendor ID payload: the gateway reads four attacker-controlled trailing bytes and writes them straight into an authentication flag register, letting the client set a bit that disables signature verification. Enable the Check Point IPS signatures released with the hotfix so the gateway rejects the crafted Vendor ID. watchTowr also published a detection artifact generator (their watchTowr-vs-Check-Point-CVE-2026-50751 tool) that safely tests whether a gateway still accepts the malicious payload, which is the fastest way to confirm your remediation actually took.
DETECTION ONLY: VPN Sessions Established Over IKEv1 (May 7 Onward)
-- Surface Remote Access / Mobile Access sessions negotiated over IKEv1
-- since the start of the exploitation window. IKEv1 should be rare or
-- absent in a modern deployment; every hit deserves review.
index=vpn sourcetype=checkpoint
(action=session_established OR event=login)
ike_version=”IKEv1”
earliest=”05/07/2026:00:00:00”
| stats count, values(src_ip) as src_ips,
min(_time) as first_seen, max(_time) as last_seen
by user, gateway
| sort - countDETECTION ONLY: Successful VPN Auth Without a Preceding Credential Event
-- A bypass yields a successful session with no password or MFA event
-- in front of it. Collect session and auth events together, group by
-- user + source, and flag any that established a session but never
-- produced a credential event. Correlate on a session/connection ID
-- instead of user+src_ip if your logs carry one (more precise).
index=vpn sourcetype=checkpoint
(action=session_established OR event=mfa_challenge OR event=password_auth)
earliest=”05/07/2026:00:00:00”
| stats sum(eval(if(action=”session_established”,1,0))) as sessions
sum(eval(if(event=”mfa_challenge” OR event=”password_auth”,1,0))) as creds
min(_time) as first_seen max(_time) as last_seen
by user, src_ip
| where sessions > 0 AND creds = 0
| table first_seen, last_seen, user, src_ip, sessionsDETECTION ONLY: Post-VPN Lateral Movement From Gateway Client Pool (KQL)
// New internal connections originating from VPN client-pool addresses
// reaching domain controllers, backup servers, or hypervisor management.
// ipv4_is_in_range() does the CIDR match; a plain string compare will not.
DeviceNetworkEvents
| where Timestamp >= datetime(2026-05-07)
| where ipv4_is_in_range(LocalIP, “10.10.20.0/24”) // set to your VPN client pool
| where RemoteIPType == “Private”
| where RemotePort in (3389, 445, 5985, 902, 443) // RDP, SMB, WinRM, ESXi, HTTPS
| summarize Connections=count(), Targets=make_set(RemoteIP)
by LocalIP, bin(Timestamp, 1h)
| where Connections > 20All three queries are detection and triage aids. They will surface legitimate remote access alongside anomalies. Review the results with an analyst. Do not wire them to automated blocking, and do not block VPN client-pool ranges at the network level, because doing so will disrupt legitimate remote users.
What You Should Do
Immediate (Today)
Apply the Check Point hotfix for CVE-2026-50751 across every Security Gateway running Remote Access or Mobile Access. Reference Check Point advisory sk185033.
Disable IKEv1. If any gateway still negotiates IKEv1, turn it off and move remaining clients to IKEv2. The deprecated protocol is the vulnerable surface. Removing it closes the door independent of patch status.
Hunt the May 7 to June 8 window. Run the queries above. Assume the appliance may have been reached before you patched, and look for the evidence rather than trusting the hotfix to be retroactive. It is not.
Force-reset credentials and invalidate active VPN sessions if you find any IKEv1 session you cannot tie to a known user, then treat it as a potential intrusion and open an incident.
This Week
Inventory every internet-facing remote access and edge appliance, not only Check Point. VPN concentrators, backup servers, and management interfaces are the assets ransomware groups now buy zero-days to reach.
Segment the VPN client pool away from crown-jewel systems. Domain controllers, backup infrastructure, and hypervisor management should not be reachable directly from a freshly established VPN session without additional authentication.
Verify backup immutability and recovery isolation. Qilin deletes shadow copies and inhibits recovery. Confirm at least one backup tier is offline or immutable and test that you can actually restore from it.
Instrument the edge for behavior, not just patch state. Feed VPN session logs into your SIEM and baseline normal session origins and post-connection behavior so a bypass session stands out even when the authentication looks clean.
Going Forward
Retire the patch-cadence-as-safety assumption. Mean-time-to-patch remains a useful hygiene metric, but it measures exposure to n-day threats only. Against a ransomware group with zero-day capability, it is silent. Add pre-disclosure hunting and edge-behavior monitoring to your program so your assurance does not depend on a patch existing.
Treat edge appliances as pre-breach. Assume the internet-facing device can be reached by an unauthenticated attacker at any time and design what sits behind it accordingly. Defense in depth behind the VPN is the control that survives a zero-day; perimeter trust is the control that does not.
Track the ransomware cartels as capability ecosystems. Qilin, LockBit, and DragonForce share affiliates and tooling. A new technique proven by one becomes available to all. Watch the cartel, not the brand on the ransom note.
The Bigger Picture
The comfortable story about ransomware was that it targeted the careless. The groups were opportunists, the reasoning went, and opportunists take the easy target. Keep your patches current, keep your KEV deadlines, keep your appliances updated, and the criminals would move on to someone slower. For a long time that story was mostly true.
CVE-2026-50751 is the moment that story stopped being reliable. When the most prolific ransomware operation of the year is willing to spend zero-day money to get inside your VPN a month before anyone knows the flaw exists, being current is no longer the same as being safe. The defenders who patched on day one and the defenders who never patch were equally exposed for the entire month of May.
This does not mean patching is pointless. It means patching is table stakes, and the real defensive posture has moved past it. The organizations that weather this shift will be the ones that stopped trusting their edge devices, segmented aggressively behind them, protected their recovery path, and learned to hunt for the quiet successful login rather than the loud failed one. The organizations that keep measuring their safety by how fast they close a window will keep being surprised by the attacks that never opened one.
Nation-state tradecraft has been trickling down to criminal operations for a decade. This is the trickle becoming a stream. Plan for the version of ransomware that does not wait for your patch cycle, because it is already here and it is claiming more than a hundred organizations a month.
Indicators of Compromise
Source: The atomic indicators (IP addresses and file hashes) in this section are published by Check Point Research in advisories sk185033 and sk185035. The behavioral and host indicators are drawn from Check Point, Rapid7, and watchTowr Labs reporting. Intruvent has aggregated and tiered them for operational use; we did not independently source them from our own casework.
Check Point updates its list over time, so treat the primary advisory as authoritative and pull the current version before you operationalize anything here.
⚠ Blocking Guidance (read before you act)
Sources
Check Point Research, state-of-exploitation analysis and Qilin attribution (medium confidence, binary analysis), June 2026
Check Point advisories and hotfix, support references sk185033 and sk185035 (mitigation: IKEv2-only, mandatory machine certificate, IPS signatures; atomic IOCs)
NVD, CVE-2026-50751: nvd.nist.gov/vuln/detail/CVE-2026-50751 (CVSS 9.3, CWE-287)
CISA Known Exploited Vulnerabilities Catalog, entry added June 8, 2026 (known ransomware campaign use, federal due date June 11)
BleepingComputer, “Check Point links VPN zero-day attacks to Qilin ransomware gang,” June 2026
SecurityWeek, “Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks,” June 2026
Rapid7 emergent threat response, CVE-2026-50751 (two high-confidence exploitation cases)
watchTowr Labs, “Marking Your Own Homework,” root-cause analysis and detection artefact generator (watchTowr-vs-Check-Point-CVE-2026-50751)
Help Net Security (exploitation and PoC coverage, June 8 and June 12, 2026) and The Hacker News, June 8, 2026
Breachsense May 2026 ransomware report and Privacy Insight Solutions Qilin profile (victim volume, leaderboard, 46-day listing lag)
Attribution note: the CVE-2026-50751-to-Qilin linkage is Check Point Research’s medium-confidence assessment, independently corroborated by Rapid7 and watchTowr Labs. Qilin victim counts are derived from public leak-site tracking (Breachsense, Privacy Insight Solutions, Comparitech), which tends to run high, and are presented as claimed figures.












