Cyber Incident Victim: Department of Homeland Security
Date:
May 2026
Location:
United States of America
Summary
The Cybersecurity and Infrastructure Security Agency issued an urgent order for all civilian federal agencies to patch a critical vulnerability in Check Point’s remote access, firewall and VPN products that is being actively exploited by the ransomware group Qilin. The directive, issued under Operational Directive BOD 22‑01, applies to agencies such as the Department of Homeland Security, the Department of State and the Treasury, requiring them to remediate the flaw to protect government networks from ongoing attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 7, 2026, attackers began exploiting a critical vulnerability in Check Point Software's remote access tools, firewalls, and VPN systems, a flaw that allows unauthorized entry into protected networks. The vulnerability was subsequently identified by Check Point Software as being actively used by the ransomware group Qilin, which launched intrusions against organizations that rely on those security products. Activity remained low initially but increased sharply during the week preceding June 9, 2026, as Qilin expanded its campaign to dozens of targets worldwide. The escalating threat prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to prepare an emergency response for federal civilian networks.
On June 9, 2026, CISA issued an urgent directive requiring all civilian federal agencies to remediate the Check Point vulnerability by the end of day June 11, 2026, citing the active exploitation by Qilin as a clear and present danger to government infrastructure. The directive specifically named the Department of Homeland Security, the Department of State, and the Treasury as agencies that must address any instances of the affected products within their environments. Check Point confirmed that the bug impacts remote access tools, firewalls, and VPNs, which serve as digital gatekeepers preventing unauthorized access to corporate and government networks. By June 10, 2026, the agency reiterated the timeline, emphasizing that the three‑day window was necessary to mitigate the heightened risk observed in the prior week.
CISA based its order on Operational Directive BOD 22-01, which authorizes the agency to compel security actions when active cyber threats are detected on federal networks. As a result, the Department of Homeland Security was required to locate and patch all vulnerable Check Point systems under its control before the June 11 deadline. The remediation effort involved applying the necessary updates or configurations to close the flaw and prevent further Qilin intrusions. Completion of the patching process by the specified date would satisfy CISA’s mandate and reduce the exposure of Homeland Security’s network to the ongoing ransomware campaign.