A critical authentication bypass vulnerability affecting Remote Access VPN and Mobile Access deployments has been actively exploited in the wild. The vulnerability exploits a logic flaw in certificate validation within the deprecated IKEv1 key exchange protocol, allowing attackers to establish VPN sessions without valid passwords. Exploitation has been observed since May 7, 2026, targeting several dozen organizations globally. One confirmed incident involved post-compromise activity linked to Qilin ransomware operations. The threat actor appears financially motivated and operates dedicated VPS infrastructure across multiple hosting providers. An additional related vulnerability affecting site-to-site VPN communications was discovered through AI-assisted code analysis, though no active exploitation has been observed. Immediate patching is strongly recommended for affected systems using IKEv1 protocol.