When CISA issues an emergency directive, the message to every federal agency and every security team paying attention is to patch now. For CVE-2026-50751, a CVSS 9.3 authentication bypass in Check Point Remote Access VPN, that directive landed on June 21. despite exploitation beginning in early May. That, six-week active intrusion gap is not a footnote. It is the entire story.

The flaw itself is straightforward in the worst possible way. A logic error in the certificate-validation process, triggered when the deprecated IKEv1 key-exchange protocol is enabled, allows a remote attacker to establish a fully authenticated VPN session without a valid password. No phishing. No credential theft. No lateral movement required to reach the perimeter. The attacker walks through the front door, and the door logs it as a legitimate entry.

By the time Check Point disclosed the vulnerability on June 8, a Qilin ransomware affiliate had already used it to compromise a few dozen organizations worldwide. The post-access playbook was efficient, including Rclone for data exfiltration, the Tox protocol for command-and-control communication routed through disposable VPS infrastructure. Quiet, fast, and designed to complete the job before detection had a chance to matter.

The security product became the attack vector

There is a particular irony to CVE-2026-50751 that the industry needs to sit with. The device that was breached is not an unpatched workstation or a misconfigured cloud bucket. It is the VPN gateway, the product sold specifically to keep attackers outside the perimeter. The control designed to prevent unauthorized access became the mechanism of it.

This is not unique to Check Point, and it is not a criticism of any single vendor. It reflects a structural problem with perimeter-dependent security architecture. When the perimeter device is the trust anchor, compromising that device does not just breach the perimeter. It inherits the perimeter’s authority. Every downstream control, every identity verification, every behavior-based detection tool is now reasoning about a session it believes is legitimate, because the VPN said so.

That is the condition Qilin exploited. And patching the vulnerability, while absolutely necessary, does nothing to change the position of organizations that were breached during the May-June window. For them, the attacker is already operating as a trusted user. The CISA directive is not a remedy for those organizations. It is a message to everyone else.

Why the standard response falls short

The standard sequence after a disclosure like this is one we’ve all heard before—patch the affected systems, update detection signatures, review logs for indicators of compromise. While each of these steps is good practice, none of them solves the underlying problem.

Patching closes the door for future attackers, but it does not evict the ones already inside. Detection signatures help identify known post-exploitation behavior, but ransomware affiliates have demonstrated consistent operational discipline, using legitimate tools for exfiltration and standard protocols for command-and-control precisely because these approaches blend into normal traffic. Log review is valuable, but the attackers who exploited the vulnerability had weeks of access before anyone was looking.

The detect-and-respond model assumes that detection arrives before the damage is complete. Against a weaponized zero-day with a six-week head start, that assumption does not hold. By the time an alert fires, the data has moved. The ransomware is staged. The ransom clock has started.

Making the endpoint harder to exploit

The Check Point vulnerability forces a critical question: how do you stop payload execution when an attacker has already succeeded at authentication and bypassed every other defense?

It requires moving the defensive layer to the endpoint itself, at the point of execution, where the ransomware payload has to operate regardless of how access was obtained. Techniques that morph the runtime memory environment, transforming the structures that malware needs to find and use at execution time, stop the payload deterministically. The attacker can have authenticated credentials, a legitimate session, and weeks of undetected access. If the target environment does not look like what the payload expects, the payload fails.

This is not a replacement for patching. Organizations should apply the Check Point fix immediately, and they should treat any system with IKEv1 enabled during the May-June window as potentially compromised. But patching is the beginning, as the organizations that were inside the six-week exploitation window need a control that works after the perimeter is gone.

The lesson before the next directive

CISA will issue another emergency directive. There will be another authentication bypass, another perimeter device turned attack vector, another financially motivated threat actor with a head start measured in weeks. The patch-and-detect cycle will play out again, and organizations that had their exposure managed entirely at the perimeter will find themselves in the same position.

The lesson here is not that Check Point failed or that VPNs are over. It is that any architecture where a single authentication bypass gives an attacker operating authority over the entire environment has a structural problem that no patch resolves. Closing the door is necessary. Making sure the ransomware cannot detonate even after the attacker is inside is the part the industry still has not solved at scale.

That is the conversation the CISA directive should be starting, and mostly is not.

The post Why patch directives only go so far appeared first on CyberScoop.

The latest GitLab CE/EE updates address 13 vulnerabilities, including three high-severity defects.

The post GitLab Patches Code Execution, Information Disclosure Vulnerabilities appeared first on SecurityWeek.

The latest version of the open source data transfer tool resolves 18 medium and low-severity vulnerabilities.

The post 25-Year-Old Vulnerability Patched in Curl appeared first on SecurityWeek.

More than half of the bugs are use-after-free defects, which can potentially lead to remote code execution.

The post Chrome 149 Update Resolves 18 Severe Vulnerabilities appeared first on SecurityWeek.

A standard non-admin account is sufficient to conduct an attack that exploits legitimate OS behavior rather than software vulnerabilities.

The post macOS Weaknesses Chained to Silently Disable Endpoint Security Agents appeared first on SecurityWeek.

The flaws allow remote, unauthenticated attackers to make system changes, access underlying accounts, and inject commands.

The post Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs appeared first on SecurityWeek.

The security defects allow unauthenticated users to take control of the open source software supply chain.

The post Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking appeared first on SecurityWeek.

Attackers could abuse Dify's multi-tenant cloud service to read private chats, preview other tenants' documents, and reach internal APIs.

The post Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps appeared first on SecurityWeek.

Attackers can send crafted media files to execute code in any application that uses FFmpeg’s libavcodec library.

The post FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances appeared first on SecurityWeek.

Squidbleed, discovered with the aid of Claude Mythos Preview, has been described as a Heartbleed-style vulnerability. 

The post Decades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User Data appeared first on SecurityWeek.

Vulnerable WordPress plugin iterations leak API keys, secrets, tokens, server information, and other data.

The post Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data appeared first on SecurityWeek.

CISA has given federal agencies only three days to patch CVE-2026-20253, which can be exploited for unauthenticated remote code execution.

The post Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure appeared first on SecurityWeek.

Splunk patched an OS command injection in AI Toolkit, while Atlassian fixed dozens of flaws in third-party dependencies.

The post Atlassian, Splunk Patch Critical Vulnerabilities appeared first on SecurityWeek.

Insufficient validation of user input allows an attacker to gain access to the underlying OS and elevate their privileges to root.

The post Critical Command Execution Vulnerability Patched in Cisco ISE appeared first on SecurityWeek.

Critical flaws in NGINX could allow remote, unauthenticated attackers to cause a restart and potentially execute arbitrary code.

The post F5 Patches Critical, High-Severity NGINX Vulnerabilities appeared first on SecurityWeek.

Attackers are actively exploiting a pair of critical Fortinet vulnerabilities in FortiSandbox, a security product customers use to identify and defend against emerging threats across their network, according to researchers.

Fortinet disclosed and patched the vulnerabilities — CVE-2026-39808 and CVE-2026-39813 — in April, but it hasn’t confirmed exploitation. The company did not respond to a request for comment. 

VulnCheck said it first observed exploitation of CVE-2026-39808, an OS-command injection vulnerability, on June 9. Researchers at threat intelligence firm Defused confirmed exploitation of the same defect June 11, and CVE-2026-39813, a path-traversal vulnerability, on June 15. 

Simo Kohonen, founder and CEO of Defused, said the firm observed 49 exploitation events from 11 distinct IPs against the pair of defects over a six-day period. Attackers are also attempting to exploit a third FortiSandox vulnerability, CVE-2026-25089, which Fortinet disclosed and patched June 9, he added.

Researchers haven’t determined how many Fortinet customers are directly impacted, yet post-exploitation activity thus far, which includes verification and reconnaissance, usually precedes a heavier wave of attacks, Kohonen said. 

Defused traced the malicious activity to 13 sources originating from nine countries, including China, South Korea, Taiwan, India, Singapore, Germany, the Netherlands, Canada and Bulgaria. 

“The spread and the share proof-of-concepts point to multiple independent operators on commodity infrastructure, not one campaign,” Kohonen told CyberScoop.

Researchers said they haven’t observed evidence attackers are chaining the vulnerabilities together, but the exploits are functioning with one another by bypassing authentication, escalating privileges and allowing attackers to execute arbitrary commands.

The exploits, which multiple research firms have observed in honeypots, mark the early stages of another potential wave of attacks targeting Fortinet customers.

The Cybersecurity and Infrastructure Security Agency has flagged 26 Fortinet vulnerabilities in its known exploited vulnerabilities catalog since 2021. As of Wednesday, the agency hasn’t added any of the new Fortinet defects to its catalog.

Researchers warn that the vulnerabilities affect a significant device in enterprise security architecture. 

“Sandbox appliances are typically trusted systems used to analyze suspicious content and support broader detection workflows, which means a compromise could provide attackers with elevated access within a security sensitive environment,” Chris Doyle, head of security and compliance at JupiterOne, said in an email. 

Kohonen added: “FortiSandbox is high-value because it ingests from and connects to other Fortinet devices.”

The post Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April appeared first on CyberScoop.

The industrial automation giant has fixed security holes in Logix, CompactLogix, Flex, RSLinx, and FactoryTalk products.

The post Rockwell Automation Patches Vulnerabilities in ICS Controllers and Software appeared first on SecurityWeek.

Oracle has released its June 2026 Critical Security Patch Update to fix vulnerabilities in Communications, EBS, Enterprise Manager and other products.

The post Oracle’s Second Monthly Security Updates Deliver 245 Patches  appeared first on SecurityWeek.

The browser updates address multiple memory safety bugs that could potentially lead to remote code execution.

The post Chrome and Firefox Updated to Patch Critical, High-Severity Vulnerabilities appeared first on SecurityWeek.

The flaws allow attackers to execute arbitrary PHP code and gain root privileges on shared hosting servers.

The post Joomla, LiteSpeed Vulnerabilities Exploited in Attacks appeared first on SecurityWeek.