Check Point VPN exploited , CIOs lose AI control , Microsoft

A three-day CISA patch order. A shadow-AI problem that won't sit still. And Microsoft trying to make GitHub Copilot the new default enterprise dev surface.

What You Need to Know: CISA added CVE-2026-50751 — an IKEv1 VPN authentication bypass in Check Point Security Gateways — to the Known Exploited Vulnerabilities catalog with a three-day patch deadline for federal agencies after the Qilin ransomware group was observed exploiting it in the wild. Separately, the AI-agent visibility problem hit a new low for enterprise CIOs, and Microsoft used Build 2026 to launch "Microsoft IQ" and move all GitHub Copilot plans to usage-based billing.

Why It Matters

• CVE-2026-50751 is a pre-auth RCE-adjacent VPN bypass being exploited by ransomware. Qilin (a ransomware-as-a-service operation active since 2022) was observed using the Check Point IKEv1 authentication bypass to gain initial access to corporate networks. Once on the VPN, the attacker is inside the perimeter, which is exactly the failure mode VPN bypasses always produce. CISA's three-day patch window is unusually aggressive.
• CIOs are losing the AI governance fight, and the surveys finally admit it. A wave of enterprise surveys from 2026 (including the Techest "Top 3 AI Risks" piece and the Business Security Weekly "shadow AI" coverage) all converge on the same conclusion: employees are deploying AI tools faster than central IT can inventory them, and the data-exposure risk is real and largely unmeasured.
• Microsoft is moving GitHub Copilot to usage-based billing and shipping a new context layer. Microsoft IQ, generally available across GitHub Copilot, Foundry, and Copilot Studio as of Build 2026 (June 2), is a context layer that grounds AI responses in a customer's own data. The pricing change — all plans transition to token-based billing on June 1, 2026 — is the real money story.

What Actually Happened

Check Point IKEv1 VPN bypass: CVE-2026-50751

On June 8, 2026, Check Point released hotfixes for a pair of vulnerabilities in their Remote Access VPN and Mobile Access deployments, the more serious of which is tracked as CVE-2026-50751. The bug is an authentication bypass in the IKEv1 (Internet Key Exchange v1) handshake that lets an unauthenticated remote attacker gain VPN access without valid credentials. CISA added the CVE to the KEV catalog with a three-day patch deadline for federal agencies, citing evidence of active exploitation.

Help Net Security and Cybersecurity Dive both report that the Qilin ransomware affiliate is the threat actor observed using the bug. Qilin (also tracked as "Agenda") is a RaaS operation that has been active since 2022 and is known for double-extortion tactics and rapid affiliate onboarding. The Check Point VPN bypass gives the affiliate group a one-shot path from "internet" to "inside the corporate network" — which is the failure mode that has made every major VPN CVE of the last three years a CISA KEV addition.

The watchTowr Labs technical writeup notes that the bug is in Check Point's own authentication logic, and the "marking your own homework" framing in the title is a pointed comment on the fact that Check Point's own research team discovered and disclosed it. The lesson for defenders is that IKEv1 should not be in production in 2026 — it's a 25-year-old protocol with a long history of bypass-class bugs — and any environment still using it should treat this CVE as the final reason to migrate to IKEv2 or wireguard.

For Check Point customers, the fix is in hotfix releases across Quantum Security Gateway and corresponding Mobile Access versions. The "patch within three days" CISA deadline is binding for federal agencies and should be treated as a strong recommendation for everyone else — especially given that Qilin's TTPs include the typical ransomware playbook (escalate, exfiltrate, deploy, ransom) once they're inside the perimeter.

The "CIOs lose AI control" reality check

The second story in this digest is the enterprise AI governance gap, which the post-WWDC and post-Build coverage is finally naming out loud. The Techest survey ("Top 3 AI Risks CIOs Should Plan For in 2026") and the Business Security Weekly "shadow AI" coverage both describe the same problem from slightly different angles: employees are spinning up AI tools (ChatGPT Team, Claude, Copilot, third-party agents) faster than IT can inventory them, and the data-exposure surface is correspondingly invisible.

The pattern is familiar from the shadow-IT era of the 2010s, but the velocity is different. A marketing manager can deploy a third-party agent that reads the CRM, generates outbound emails, and posts to LinkedIn in an afternoon — no IT ticket, no security review, no DLP hook. The CIO's inventory of "AI tools in use" is typically off by a factor of 3-5x within six months of an enterprise AI policy being published.

The fix isn't a new tool, it's a governance model. The companies that are getting this right (per the same coverage) are doing three things: publishing a "you can use these AI tools" allowlist, building a self-service intake that doesn't block, and instrumenting the egress layer so that even unsanctioned tool usage is visible. The companies getting it wrong are the ones that try to ban it, which just moves the usage onto personal devices and unmanaged browsers.

The economic pressure on CIOs is real. The "you must adopt AI or fall behind" narrative is being pushed from every boardroom, and the CIO who says "we need to slow down and inventory first" is the one who gets replaced. The Techest framing is closer to "you need to move fast and keep visibility" — which is a much harder problem than the surveys used to acknowledge.

Microsoft Build 2026: Microsoft IQ and token-based Copilot

Microsoft Build 2026 ran in San Francisco starting June 2, and the two announcements that matter for developers are Microsoft IQ and the GitHub Copilot billing change. Microsoft IQ, generally available across GitHub Copilot, Microsoft Foundry, and Copilot Studio, is a "context layer" that grounds AI responses in a customer's own data — think of it as Microsoft's answer to Glean or to the various retrieval layers that enterprise customers have been bolting onto Copilot themselves.

The pricing change is the bigger story for budgets. As of June 1, 2026, all GitHub Copilot plans transitioned to usage-based (token-based) billing, with promotional pricing during the June-August window: Copilot Business customers pay $19/user/month and receive $30 of included usage. GitHub's own announcement post and Ed Zitron's "Where's Your Ed At" coverage both note that this is a real shift in how enterprises budget for AI tooling — the per-seat model is dying, and the per-token model is the new default.

The other Build 2026 thread is the "Copilot has to prove it can work" framing (the YouTube Devs cover put it bluntly) — Microsoft is shipping a lot of surface area, but the actual developer experience questions (does Copilot understand your codebase? does it respect your lint rules? does it generate code you can ship?) are still hit-or-miss. The Build 2026 demos were slick, but the production usage data is still mixed.

For developers and engineering managers, the practical takeaway is: budget for token-based Copilot (it'll be more expensive than per-seat once promotional pricing ends), instrument your usage (you'll want to know which teams are burning tokens), and treat Microsoft IQ as a "maybe useful, definitely expensive" addition to your retrieval stack.

The Take

CVE-2026-50751 is the VPN bypass that should finally kill IKEv1 in production. If you're still running IKEv1 on a Check Point gateway in June 2026, you have a three-day CISA deadline and an active ransomware operator using the exact bug you haven't patched. The only acceptable response is to patch tonight and start the IKEv2 migration next week.

The "CIOs lose AI control" thread is the one I'd bet gets worse before it gets better. The velocity of AI tool deployment is outpacing governance in a way that no amount of policy will fix, and the companies that succeed are the ones that treat visibility as a data problem (instrument the egress, log the usage, surface the inventory in real time) rather than a policy problem. The bans don't work. The allowlists work but only if the intake is faster than the bypass.

Microsoft's Copilot billing change is the canary. Every AI dev tool is going to move to token-based pricing over the next 18 months, and the enterprise procurement people who negotiated per-seat contracts in 2024 are going to be very unhappy in 2026. If you're an engineering leader, start modeling your Copilot (or Cursor, or Claude Code) spend on a per-token basis now — the per-seat era is ending whether you like it or not.

Quick Summary

CISA added Check Point's IKEv1 VPN authentication bypass (CVE-2026-50751) to the KEV with a three-day patch deadline after Qilin ransomware exploitation, enterprise surveys show CIOs are losing the AI governance fight as shadow AI proliferates, and Microsoft Build 2026 shipped Microsoft IQ and moved all GitHub Copilot plans to usage-based billing.

Sources

• Help Net Security: Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751)
• Cybersecurity Dive: Check Point warns of zero-day flaw targeted by ransomware affiliate
• watchTowr Labs: Marking Your Own Homework — Check Point Remote Access VPN IKEv1 Authentication Bypass
• Threat-Modeling.com: Check Point Security Gateway IKEv1 VPN Authentication Bypass (CVE-2026-50751)
• Techest: Top 3 AI Risks CIOs Should Plan For in 2026
• Microsoft Blog: Microsoft Build 2026 — Be yourself at work
• GitHub Blog: GitHub Copilot is moving to usage-based billing