Cyber Centre Daily Advisory Digest — 2026-06-09 (2 advisories)

What Happened

The Canadian Centre for Cyber Security has warned about two critical security flaws that attackers are currently exploiting. The first affects Check Point VPNs and firewalls, allowing attackers to bypass authentication and potentially access internal networks. The second affects Google Chrome web browsers. Because both flaws are actively being used in real-world attacks, it is crucial for organizations and individuals to update their Check Point systems and Google Chrome browsers immediately to stay protected.

Key Takeaways

• Check Point VPNs and Firewalls are under active exploitation due to a critical authentication bypass vulnerability (CVE-2026-50751).
• Google Chrome has an actively exploited vulnerability (CVE-2026-11645) requiring immediate updates.
• CISA has added the Check Point vulnerability (CVE-2026-50751) to its Known Exploited Vulnerabilities (KEV) database.

Affected Systems

• Check Point Mobile Access / SSL VPN
• Check Point Remote Access VPN
• Check Point Spark Firewall
• Check Point Security Gateways
• Google Chrome for Desktop (Windows/Mac versions prior to 149.0.7827.102/.103)
• Google Chrome for Desktop (Linux versions prior to 149.0.7827.102)

Vulnerabilities (CVEs)

• CVE-2026-50751
• CVE-2026-11645

Attack Chain

Attackers are actively exploiting an authentication bypass vulnerability (CVE-2026-50751) in Check Point VPN and firewall products to gain unauthorized access to target networks. Concurrently, a separate exploit in the wild targets a vulnerability (CVE-2026-11645) in Google Chrome, likely to achieve client-side execution. Specific post-exploitation activities, payloads, and lateral movement techniques are not detailed in the advisory.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Low — The advisory only discusses vulnerabilities, not specific malware payloads or post-exploitation behaviors that EDR would typically catch. Network Visibility: Medium — Network appliances might detect anomalous authentication attempts or exploit payloads targeting the Check Point VPN, but specific signatures are not provided. Detection Difficulty: Hard — Without specific IOCs or exploit signatures, detecting the exploitation relies on identifying anomalous access patterns or generic exploit behaviors.

Required Log Sources

• VPN authentication logs
• Firewall traffic logs
• Web proxy logs
• Endpoint process creation logs

Hunting Hypotheses

Control Gaps

• Lack of timely patching for edge devices
• Browser update enforcement

Key Behavioral Indicators

• Anomalous VPN logins
• Chrome process anomalies

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Apply the latest security updates provided by Check Point for Mobile Access, Remote Access VPN, Spark Firewall, and Security Gateways immediately.
• Update Google Chrome to version 149.0.7827.102/.103 for Windows/Mac and 149.0.7827.102 for Linux.

Infrastructure Hardening

• Evaluate whether access to VPN management interfaces can be restricted to trusted internal IP addresses only.
• Consider implementing strict network segmentation to limit the blast radius if a perimeter VPN device is compromised.

User Protection

• Ensure automated browser updates are enabled and enforced across all user endpoints.
• If supported by your tooling, consider monitoring endpoints for anomalous behavior originating from web browsers.

Security Awareness

• Remind users to restart their browsers when prompted to ensure pending updates are fully applied.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1203 - Exploitation for Client Execution