Your VPN Has No Password. Check Point Just Confirmed It. What Are You Doing About It?
The first attacks against Check Point’s Remote Access VPN started on 7 May 2026. The vendor noticed suspicious behaviour on 4 June. A patch arrived shortly after.
That is a 28-day exploitation window on a product used by businesses across the UK for remote working. Attackers did not need a password. They did not need credentials of any kind. They needed a VPN running a deprecated protocol called IKEv1, and they were in.
This week also brought three separate WordPress vulnerabilities allowing unauthenticated remote code execution. No login required on those either.
The signal is the same in both cases: the gap between exploitation and detection is not hours. It is weeks. And most small businesses are not looking.
The Check Point VPN Flaw: What the Data Actually Shows
CVE-2026-50751 affects Check Point’s Remote Access VPN and Mobile Access deployments configured to use IKEv1, the older of the two Internet Key Exchange protocols used to establish VPN tunnels. IKEv1 has been considered deprecated for years. IKEv2 replaced it. Many organisations simply never turned IKEv1 off.
The vulnerability allows an unauthenticated attacker to establish a VPN connection without valid credentials. Check Point confirmed active exploitation and stated that tens of customers were attacked via the flaw. The first observed attacks predated the patch by approximately a month.
Check Point says it identified the issue after observing suspicious behaviour and began an investigation that led to the vulnerability’s discovery. A hotfix was released, and the vendor has published an advisory with remediation guidance.
For UK small businesses: if your VPN infrastructure is managed by an MSP or IT provider, ask them directly whether IKEv1 is disabled and whether the relevant hotfix has been applied. Do not accept ‘we’ll look into it’ as an answer. Ask for confirmation in writing.
The WordPress Triple: Three RCE Flaws, No Authentication Required
Three separate WordPress vulnerabilities were published this week, each carrying a CVSS score of 9.8 and each allowing unauthenticated remote code execution.
CVE-2023-54352 affects the Seotheme WordPress theme. Attackers can upload malicious PHP files to the theme directory and execute arbitrary system commands via a publicly accessible shell at a known path.
CVE-2024-58348 affects the Background Image Cropper plugin version 1.2. An unauthenticated attacker can access the file upload endpoint directly and push PHP files to the plugin directory for immediate execution.
CVE-2024-58349 affects the Travelscape theme version 1.0.3. Insufficient validation in the theme’s upload functionality allows unauthenticated file upload and remote code execution.
All three share the same operational characteristic: no login required. An attacker who identifies your site is running one of these components can compromise your web server without any prior access.
WordPress powers a significant proportion of UK small business websites. Many of those sites run themes and plugins that are updated infrequently, managed through a cheap hosting panel, or simply forgotten. These are not theoretical vulnerabilities. They are publicly documented attack paths with exploitation code that will reach automated scanners within days of publication.
What the Pattern Tells Us
The Check Point VPN story and the WordPress trio share a structural characteristic that is worth naming precisely.
In both cases, the attack surface was created by configuration or components that should have been retired. IKEv1 is deprecated. The affected WordPress components have minimal maintenance histories. The common thread is not sophisticated nation-state tradecraft. It is legacy exposure that nobody audited.
Check Point’s 28-day exploitation window before vendor detection is not unusual. The NCSC’s own guidance on vulnerability management notes that the time between public vulnerability disclosure and active exploitation has compressed significantly. For some vulnerability classes, exploitation begins within hours of CVE publication. For others, attackers quietly exploit for weeks before defenders become aware.
For a 20-person business in the UK, the practical implication is this: your IT provider or MSP cannot be the last line of detection. By the time they notice something unusual in your logs, the window may already be measured in weeks.
How to Use This as a Competitive Advantage
If your business uses VPN for remote access and you can confirm to a client or prospective client that your configuration is audited, IKEv1 is disabled, and your patch cycle is under 72 hours for critical vulnerabilities, that is a verifiable security posture. Most businesses of comparable size cannot say any of that.
Supply chain security is a growing procurement requirement. Larger organisations increasingly ask their suppliers about patch management, remote access configuration, and incident detection capability. Being able to answer those questions with evidence, rather than a vague reassurance, positions you differently in competitive bids.
The same applies to your website. A WordPress site that is actively maintained, with plugins and themes on current versions, is a materially different risk profile from one that was last updated in 2024. If you handle client data through your website, that distinction matters under UK GDPR.
Making the Case to Your Board or Budget Holder
Three arguments grounded in this week’s intelligence.
The exploitation window is measured in weeks, not days. Check Point’s own disclosure confirms 28 days of active exploitation before detection. If you do not have logging and monitoring in place, you will not know you have been compromised until the damage is done. The cost of reactive incident response is substantially higher than the cost of proactive monitoring.
Deprecated protocols are not a theoretical risk. IKEv1 is not an obscure edge case. It is a commonly enabled default that many organisations have never audited. Asking your IT provider to confirm your VPN configuration is not a complex or expensive exercise. Not asking is a governance failure.
Website compromise has direct regulatory exposure. If an unauthenticated attacker gains code execution on your WordPress site and accesses customer data, that is a reportable breach under UK GDPR. The ICO’s enforcement record includes fines against organisations whose websites were compromised through unpatched known vulnerabilities. The defence of ‘we didn’t know’ does not hold when the CVE was publicly documented.
What to Do by End of Day
-
Check your VPN protocol configuration. Ask your IT provider or MSP to confirm in writing that IKEv1 is disabled on your remote access VPN and that the relevant security patches have been applied. If they cannot answer that question today, that is itself a finding.
-
Update WordPress immediately. Log in to your WordPress admin panel and update every plugin and theme to its current version. If you cannot do this yourself, instruct whoever manages your website to do it today. If your site runs Seotheme, Background Image Cropper, or Travelscape, treat this as urgent.
-
Enable MFA on your VPN and remote access tools. The Check Point flaw bypassed password authentication. MFA would not have prevented exploitation of this specific vulnerability, but it significantly raises the bar for credential-based attacks that follow initial access. If MFA is not enabled on your VPN, that is the next item.
-
Review your patch cycle with your IT provider. Ask them what their process is for critical vulnerability notifications and how quickly they apply patches rated CVSS 9.0 and above. If the answer is ‘we patch monthly’ and nothing else, that is not adequate for the current threat environment.
-
Check your logging. If your business was compromised during the Check Point 28-day window, you need logs to know. Ask your IT provider whether VPN access logs are retained and reviewed. If the answer is no, that is a gap that needs closing.