Your VPN Is the Front Door: This Week's Actively-Exploited Check Point and Ivanti Flaws, and What to Do

Most of what I write about for small businesses is the human side of security, phishing, impersonation, the people problems. This one is different, and more urgent in the short term. Over the past few days, the U.S. Cybersecurity and Infrastructure Security Agency added several vulnerabilities to its Known Exploited Vulnerabilities catalog, the list of flaws confirmed to be under active attack right now, and the standouts are exactly the kind of devices that sit on the edge of your network: a critical Check Point VPN flaw and an Ivanti Sentry gateway flaw, with a Chrome browser bug alongside them.

If your eyes glaze at CVE numbers, here is the one sentence that matters: the equipment that connects your office to the internet is being attacked this week, and if yours is one of the affected models and is not patched, you are exposed to exactly the kind of break-in that starts a ransomware case. Let me explain why edge devices are such a prize, what specifically is going on, and the short list of things to do.

Why your VPN and firewall are the real prize

There is a hierarchy of targets in an attack. A vulnerability on a single employee's laptop is useful to a criminal, but limited, they have to get the malware there, and they get one machine. A vulnerability on your firewall, VPN, or gateway is a different category entirely, because those devices sit directly on the public internet and control access to everything behind them. When one of them has an unauthenticated flaw, meaning the attacker does not even need a password, a criminal anywhere in the world can reach in and walk straight onto your network. No phishing email, no malicious attachment, no employee mistake required.

This is why so many small-business ransomware cases, when you trace them back, do not start with a clicked link at all. They start with an exposed VPN or firewall that had a known flaw nobody patched. The edge device is the unlocked front door, and attackers scan the entire internet looking for it. That is the context for this week's advisories.

What's actually on the list this week

• Check Point Remote Access VPN — CVE-2026-50751, severity 9.3 out of 10. A flaw in the older IKEv1 VPN configuration lets an unauthenticated attacker bypass authentication on Remote Access VPN and Mobile Access gateways. It is being actively exploited, and reporting has tied this class of VPN flaw to ransomware activity. If you run Check Point gear, this is an emergency-grade patch.
• Ivanti Sentry — CVE-2026-35273. An OS command-injection flaw that lets an unauthenticated, remote attacker run commands as root, total control of the gateway. Ivanti products have been a repeated target over the past couple of years, and this one was added to the actively-exploited catalog this week.
• Chrome / Chromium browser — CVE-2026-11645. Not an edge device, but worth grouping in: an exploited flaw in the browser engine behind Chrome and Edge. The fix installs through the browser's normal update, but it only takes effect after you fully close and reopen the browser, which a lot of people never do. Restart your browser today.

You do not need to memorize the CVE numbers. The pattern is the point: perimeter devices and the browser, the two places that face the outside world most directly, are where this week's active exploitation is concentrated.

The bigger lesson: the KEV is your "patch this first" list

Here is a free, high-value habit most small businesses have never heard of. CISA's Known Exploited Vulnerabilities catalog, the KEV, is a continually updated list of the flaws that are actually being used in attacks, filtered down from the tens of thousands of vulnerabilities disclosed every year to the few hundred that criminals are genuinely weaponizing. Federal agencies are required to patch KEV items on a short clock; for a small business, it is simply the best-prioritized to-do list in security. You do not have to chase every vulnerability, an impossible task, you have to make sure the ones on this list, especially in software and devices you run, get fixed fast. The patch-cadence discipline behind that is the same one in our June Patch Tuesday post and the broader 10 essentials.

How fast does this turn into a real attack?

Days, sometimes less. The grim rhythm of an edge-device flaw goes like this: the vulnerability is disclosed, the patch is released, and within a very short window attackers are scanning the whole internet for unpatched devices and hitting them in bulk. The "actively exploited" label on the KEV means that race is already underway. This is why edge-device patching is the one area where a small business cannot afford a leisurely monthly cycle, by the time the next maintenance window rolls around, the opportunistic mass-scanning has already found you. When one of these hits the list, the right response is measured in days.

What a small business should do this week

• Inventory your internet-facing devices. You cannot protect what you have not listed. Write down every device that touches the internet, firewall, VPN, gateway, NAS, cameras, any remote-access appliance, with make, model, and firmware version. Most small businesses have never done this, and it is the foundation of everything else.
• Patch the edge first. If anything on your list is a Check Point or Ivanti product named above, apply the vendor fix now. For everything else, confirm it is on current, supported firmware. Edge devices jump the patch queue ahead of workstations.
• Retire deprecated protocols. The Check Point flaw rides on the old IKEv1 protocol. If your VPN still uses it, plan the move to a current configuration. Deprecated settings are where these risks hide.
• Put VPN and remote access behind MFA, so a stolen or bypassed password is not the whole game, the same identity-first thinking as the identity hardening post.
• Restart your browsers to apply the Chrome/Edge update, and make "close it fully once a day" a habit.
• Replace end-of-life appliances. A firewall or VPN the manufacturer no longer patches is a standing liability; budget its replacement, do not nurse it.
• Keep backups and monitoring as the safety net. If something does get through, a tested backup (see the backup and DR post) and managed detection are what limit the damage.

If you have an IT provider, ask three questions

Edge-device patching is exactly the kind of work a managed IT provider should own, and exactly the kind that quietly slips when no one is accountable. Ask yours, today: Do you keep an inventory of our internet-facing devices? Do you track the CISA KEV and vendor advisories? How fast do you patch a firewall or VPN when an actively-exploited flaw is announced? Clear, confident answers are what you are paying for. Vague ones are a gap to close now, while it is still a question and not an incident. It is the same diligence we cover in the switching IT providers checklist.

Where this fits

• The how ransomware gets in post, for why the edge device is such a common starting point.
• The June 2026 Patch Tuesday post and the 10 essentials, for the patch-cadence habit this depends on.
• The network design service page, for designing and securing the perimeter properly.
• The managed IT page and cybersecurity page, for keeping edge devices inventoried, patched, and monitored.
• The backup and disaster recovery post, for the safety net behind it all.

We inventory, patch, and monitor the edge devices for small businesses across Salinas, Monterey, Santa Cruz, Watsonville, and San Jose, and the rest of the Central Coast — so the front door stays locked.

FAQs about this week's edge-device vulnerabilities

What is CISA's Known Exploited Vulnerabilities catalog, and why does it matter to a small business?

The Known Exploited Vulnerabilities catalog, or KEV, is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of vulnerabilities that are confirmed to be under active exploitation in the real world, not theoretical. When a flaw lands on the KEV, it means criminals are using it right now. Federal agencies are required to patch KEV items on a tight deadline, and for everyone else it is the single best "patch this first" list available, because it is filtered down to what attackers are actually weaponizing. For a small business with limited time, watching the KEV, or having an IT provider who does, is one of the highest-value, lowest-effort security habits there is.

We have a VPN or firewall. Are we affected by the Check Point flaw?

You are affected only if you run the specific affected products, Check Point Remote Access VPN or Mobile Access gateways using the older IKEv1 configuration, but the broader point applies to every business with any internet-facing security appliance. The Check Point flaw, tracked as CVE-2026-50751 with a severity of 9.3 out of 10, lets an unauthenticated attacker bypass authentication, and it is being actively exploited. If you run Check Point gear, apply the vendor's fix immediately and follow their guidance on the deprecated IKEv1 protocol. If you run a different brand of firewall or VPN, the lesson is the same: these devices are prime targets, so confirm yours is patched and supported.

Why patch the firewall or VPN before the computers?

Because edge devices are the front door, and a flaw in one is worth far more to an attacker than a flaw on a single PC. Your firewall, VPN, and gateway sit directly on the internet and broker access to everything behind them, so when one has an unauthenticated remote vulnerability, a criminal can walk straight in from anywhere in the world with no phishing and no malware needed. That is exactly the entry point ransomware crews prize, which is why so many small-business ransomware cases trace back to an unpatched VPN or firewall. Workstation patches matter too, but an exposed, vulnerable edge device is the emergency.

What is IKEv1 and should we turn it off?

IKEv1 is an older protocol used to set up VPN connections, and it has largely been superseded by the more secure IKEv2. The Check Point flaw under active attack specifically involves IKEv1, which is considered deprecated. If your VPN still uses it, that is a signal to move to IKEv2 or the vendor's current recommended configuration, after confirming compatibility, and to apply the relevant patch. More generally, deprecated protocols are a recurring source of risk because they linger in configurations long after better options exist. An IT review that flags and retires them is part of keeping an edge device genuinely secure, not just powered on.

We use an IT provider or MSP. Isn't patching the appliances their job?

It should be, but you should confirm it rather than assume it, because edge devices are exactly the things that fall through the cracks. Ask your provider three direct questions: do you maintain an inventory of our internet-facing devices, do you track the CISA KEV and vendor advisories, and how quickly do you patch a firewall or VPN when an actively-exploited flaw is announced. A good managed IT relationship treats edge-device patching as urgent and proves it; if the answers are vague, that is a gap worth closing now, before it is found for you. This is core to what managed IT is supposed to deliver.

How fast do attackers actually exploit these flaws?

Fast, often within days of a vulnerability becoming public, and sometimes before, which is what "actively exploited" on the KEV means. Once a flaw in a widely-used VPN or gateway is disclosed, attackers race to scan the entire internet for exposed, unpatched devices and hit them in bulk, because the payoff, direct network access, is so high. That short window between disclosure and mass exploitation is why edge-device patching cannot wait for a monthly maintenance cycle. When a flaw like this week's hits the actively-exploited list, the clock is already running, and the businesses that patch in days rather than weeks are the ones that stay out of the breach reports.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.