What is CVE-2026-50751 in Check Point VPN?

CVE-2026-50751 is a CVSS 9.3 authentication bypass in Check Point Remote Access VPN and Mobile Access when using the deprecated IKEv1 protocol. Attackers establish full VPN sessions without valid credentials. Qilin ransomware has exploited it since early May 2026.

What is CVE-2026-11645 in Google Chrome?

CVE-2026-11645 is the fifth actively exploited Chrome zero-day of 2026. Google issued an emergency patch but has not disclosed the vulnerability class or CVSS score. The bug was reported in late April, indicating at least six weeks of active exploitation before the fix.

How does the Ubiquiti UniFi OS exploit chain work?

Three vulnerabilities in UniFi OS servers chain together to grant unauthenticated remote root access to network management appliances. An attacker who compromises the controller can modify VLAN configs, firewall rules, and extract device credentials across the managed network.

What is the CISA KEV deadline for CVE-2026-50751?

CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalog with a June 11, 2026 remediation deadline for federal agencies — just three days from disclosure. Organizations running Check Point RA VPN with IKEv1 should patch or disable the protocol immediately.

What is CVE-2026-42271 in LiteLLM?

CVE-2026-42271 is a CVSS 8.7 command injection in BerriAI LiteLLM, an AI gateway and proxy tool. Any authenticated user can execute arbitrary commands on the host. CISA KEV-listed. It represents the emerging supply chain risk in AI tooling deployments.

Check Point VPN Zero-Day CVE-2026-50751 — Qilin Exploits

A CVSS 9.3 authentication bypass in Check Point’s VPN is being exploited by Qilin ransomware operators to walk onto corporate networks without a password. CISA gave federal agencies three days. The rest of the industry does not have that luxury either — the exploit has been active since early May.

Separately, Google shipped its fifth emergency Chrome patch of 2026 for an actively exploited zero-day, and researchers published a three-bug chain that grants unauthenticated root on Ubiquiti UniFi network management appliances. The through-line today is perimeter and endpoint exposure: VPN gateways, browsers, and network controllers all taking fire.

In the News

Check Point VPN Zero-Day Exploited by Qilin Ransomware

CVE-2026-50751 (CVSS 9.3) is an authentication bypass in Check Point Remote Access VPN and Mobile Access deployments that still use the deprecated IKEv1 key exchange protocol. The mechanism is straightforward and severe: an attacker can establish a fully authenticated VPN session without possessing valid credentials. No password, no MFA prompt — the IKEv1 handshake itself is broken.

Qilin ransomware operators have been exploiting this vulnerability since early May 2026, according to SecurityWeek’s reporting. That means at least a month of exploitation before public disclosure. Qilin is a ransomware-as-a-service operation known for double extortion — data exfiltration followed by encryption — and VPN access provides exactly the initial foothold they need for lateral movement across enterprise networks.

CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalog and issued a Binding Operational Directive requiring federal agencies to remediate by June 11 — a three-day window that signals how seriously the government views the exposure. Any organization running Check Point RA VPN with IKEv1 should treat this as a drop-everything priority. The immediate mitigation for environments that cannot patch within hours is to disable IKEv1 entirely and enforce IKEv2 for all remote access sessions.

The broader lesson: IKEv1 has been deprecated for years. This is not the first time a legacy protocol left enabled “for compatibility” has become the front door for a ransomware operator. If your VPN gateway configuration still supports protocols you would not deploy fresh today, this is the week to clean that up.

What defenders should do: Patch Check Point gateways immediately. If patching requires a maintenance window, disable IKEv1 as a compensating control today. Audit VPN session logs from May 1 onward for sessions established without corresponding authentication events — that is the indicator of exploitation. MITRE ATT&CK: T1133 — External Remote Services, T1078 — Valid Accounts.

Google Patches Fifth Chrome Zero-Day of 2026

CVE-2026-11645 is the fifth actively exploited Chrome zero-day Google has patched this year — and it is only June. The vulnerability was reported by an anonymous researcher in late April, meaning it was exploited in the wild for approximately six weeks before the emergency update shipped. Google has not disclosed the vulnerability class, attack vector, or CVSS score, which is consistent with their policy of withholding details until a majority of the user base has updated.

Five exploited zero-days in six months establishes a clear pattern: Chrome (and by extension the Chromium engine powering Edge, Brave, Opera, and dozens of Electron apps) is a persistent, high-value target surface. For defenders, the actionable question is not whether Chrome has vulnerabilities — it always will — but whether your organization has visibility into browser versions running across managed and unmanaged endpoints. Chrome’s auto-update mechanism covers most managed desktops, but Chromium-based applications, kiosk systems, and developer environments frequently lag.

What defenders should do: Force-push Chrome 126+ across managed endpoints. Inventory Chromium-based applications (Electron apps, embedded browsers) that do not inherit Chrome’s auto-update. Endpoint detection tools that monitor browser-process behavior — child process spawning, anomalous memory operations — provide detection coverage independent of signature updates.

Ubiquiti UniFi OS: Three Bugs Chain to Unauthenticated Root

Researchers disclosed a three-vulnerability exploit chain against Ubiquiti UniFi OS servers that grants unauthenticated remote root access to network management appliances. UniFi controllers manage switches, wireless access points, and gateways across hundreds of thousands of SMB and distributed enterprise deployments worldwide. An attacker who compromises the management plane owns the network: VLAN configurations, firewall rules, inter-VLAN routing, and stored device credentials are all accessible.

All three vulnerabilities have patches available, but the operational reality is that UniFi deployments — often managed by a single IT generalist at a small business — update infrequently. The management interface is sometimes exposed directly to the internet, compounding the risk. BleepingComputer’s coverage confirms that the chain requires no authentication whatsoever.

What defenders should do: Patch UniFi OS to the latest firmware. Never expose the UniFi controller management interface to the internet — place it behind a VPN or restrict access to a management VLAN with network access control enforcement. Audit for unauthorized admin accounts or configuration changes on UniFi controllers. MITRE ATT&CK: T1190 — Exploit Public-Facing Application, T1098 — Account Manipulation.

Today’s Deep Dive — Supply Chain and AI Tooling Under Fire

Three items from today’s research converge on a single theme: the software you depend on to build, deploy, and manage systems is itself under attack.

LiteLLM command injection (CVE-2026-42271, CVSS 8.7). BerriAI’s LiteLLM is an AI gateway and proxy used to route LLM API calls. Any authenticated user — not just admins — can inject arbitrary OS commands on the host. CISA added this to the KEV catalog, which means exploitation is confirmed in the wild. If your organization is running LiteLLM as an internal AI proxy, the host it runs on is likely connected to sensitive infrastructure (API keys, model endpoints, internal services). Patch or isolate immediately. This is the supply chain risk in AI tooling that security teams warned about in 2025 — it is now a confirmed exploitation pathway, not a theoretical concern. MITRE ATT&CK: T1059.004 — Command and Scripting Interpreter: Unix Shell.

PyPI supply chain poisoning (Hades/Miasma). The Shai-Hulud variant compromised 19 PyPI packages across 37 wheels, collectively downloaded hundreds of thousands of times. The delivery mechanism — .pth files that auto-execute on Python startup — bypasses traditional package inspection. A parallel Miasma campaign hit NPM. Organizations building with Python or Node.js need SBOM visibility and dependency-pinning with hash verification. MITRE ATT&CK: T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain.

Linux kernel nf_tables escape (CVE-2026-23111). A use-after-free in nf_tables allows an unprivileged local user to escalate to root and break out of containers. Patched in February 2026, but Exodus Intelligence published a full public exploit on June 8. Any container host running an unpatched kernel is now at elevated risk. MITRE ATT&CK: T1611 — Escape to Host.

The common thread: patch your infrastructure components — AI gateways, package managers, container hosts — with the same urgency you patch your firewalls.

Defender Action Items

Check Point VPN: Patch CVE-2026-50751 or disable IKEv1 today. Audit VPN session logs from May 1 for unauthenticated sessions. Federal deadline is June 11.
Chrome: Force-push Chrome 126+. Inventory all Chromium-based apps across the fleet.
UniFi OS: Update firmware immediately. Restrict controller management interface to a dedicated management VLAN behind VPN.
LiteLLM: Patch CVE-2026-42271 or isolate the host. Rotate any API keys stored on the LiteLLM server.
Linux kernel: Patch CVE-2026-23111 on container hosts. The public exploit dropped June 8 — the clock is ticking.
PyPI/NPM: Audit dependencies against known-compromised packages in the Hades/Miasma campaign. Enforce hash-pinned dependency files.

Detection Spotlight

Check Point VPN exploitation detection — look for VPN sessions established without a corresponding successful authentication event. In Splunk, query Check Point gateway logs for IKEv1 session completions that lack a preceding auth success:

index=checkpoint sourcetype="cp_log" action="VPN" ike_version="IKEv1"
| eval session_time=_time
| join src_ip
  [search index=checkpoint sourcetype="cp_log" action="Authentication" status="Success"
   | rename _time as auth_time, src_ip as src_ip
   | table src_ip, auth_time]
| where isnull(auth_time) OR (session_time - auth_time > 300)
| stats count by src_ip, dst_ip, session_time
| where count > 0
| sort -session_time

This surfaces IKEv1 VPN sessions where no authentication success was logged within a five-minute window — the signature of CVE-2026-50751 exploitation. False positives should be near zero in environments with functioning auth logging. If auth logging itself is missing, that is a separate problem worth investigating immediately.

References

Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks — SecurityWeek
Google Patches Fifth Chrome Zero-Day Bug Exploited in Attacks This Year — BleepingComputer
Critical UniFi OS Bug Lets Hackers Gain Root Without Authentication — BleepingComputer
LiteLLM Flaw CVE-2026-42271 Exploited — The Hacker News
One-Character Linux Kernel Flaw Enables Container Escape — The Hacker News
Hades PyPI Attack: 19 Packages Poisoned — The Hacker News
VerdantBamboo Deploys BSD Variant of BRICKSTORM Backdoor — The Hacker News
French Govt Messaging Service Breached in Account Hijacking Attack — BleepingComputer
AI Brands as Bait: How Threat Actors Use AI Hype in Social Engineering — Microsoft Security Blog
A Security Raises $37M for Autonomous Offensive Security Platform — SecurityWeek
WhatsApp Says NSO Targeted Users With Attacks Against Court Order — The Record

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.