CISA orders federal agencies to patch exploited Check Point VPN flaw within 24 hours

CISA has added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch the Check Point VPN flaw by June 11.

The move gives agencies roughly one day to remediate the issue after public reporting on June 10, and it reflects CISA’s view that the bug is being actively exploited in the wild. Public reporting named the Department of Homeland Security, the State Department and the Treasury Department among the agencies facing the deadline.

Check Point said the vulnerability affects certain Remote Access VPN and Mobile Access products. The company described it as an authentication-bypass issue that can allow a remote attacker to establish a VPN connection without a valid password.

That makes the bug especially sensitive in government environments. VPN systems often sit at the boundary between the internet and internal networks, so a successful bypass can give an attacker a path to sensitive systems, credentials and administrative access.

How the exploitation unfolded

Check Point said exploitation began on May 7, 2026. The company said it became aware of active zero-day exploitation by June 4 and publicly disclosed and fixed the issue on June 9.

According to the reporting reviewed here, the attacks appeared limited to several dozen targeted organizations globally. The same reporting said at least one compromise was used to deploy Qilin ransomware.

That detail matters because it suggests the flaw was not just being probed for access, but used operationally in a ransomware campaign. It also raises the risk that other attackers may try to copy the same technique if the patch window is slow to close.

Why CISA moved fast

CISA uses the KEV catalog to push federal agencies toward faster remediation of vulnerabilities that are already known to be abused. Once a bug appears on the list, it becomes a priority issue for security teams and compliance programs.

In this case, the agency’s deadline effectively compresses normal patch cycles into an emergency response window. The public reporting characterized it as a one-day deadline from the June 10 reporting window.

The fact that the flaw is tied to VPN access also increases the urgency. Remote-access products are high-value targets because they can expose a direct route into internal government systems if authentication can be bypassed.

What is still unknown

The public record reviewed so far does not identify which specific federal agencies have been hit, if any. There is also no public confirmation yet that the U.S. government itself was compromised through the flaw.

It is also unclear whether CISA issued only the KEV listing or a separate emergency directive with additional remediation language. Check Point has not, in the material reviewed here, publicly detailed broader indicators of compromise or a complete victim list.

More reporting may clarify whether other sectors were affected, whether additional ransomware groups are exploiting the same issue, and whether federal defenders have detected successful intrusions tied to the bug.

For now, the message from CISA is straightforward: federal civilian agencies need to treat CVE-2026-50751 as an active threat and patch it immediately.