🌐 Network

CVE-2026-33824: Critical Windows IKE Service RCE Demands Urgent Patching

A CVSS 9.8 double-free vulnerability in the Windows Internet Key Exchange service allows unauthenticated remote attackers to achieve SYSTEM-level code execution on all supported Windows versions. With no user interaction required and confirmation of pre-patch exploitation, every unpatched Windows host with IKEv2 enabled is at immediate risk. Apply the April 2026 Patch Tuesday update or block UDP ports 500 and 4500 immediately.

4 min read
#cve-2026-33824#windows#ike#rce#patch-tuesday#unauthenticated

A critical unauthenticated remote code execution vulnerability in the Windows Internet Key Exchange (IKE) service demands immediate attention from every Windows-running organisation. CVE-2026-33824, patched in Microsoft’s April 2026 Patch Tuesday, carries a CVSS score of 9.8 and was confirmed as actively exploited before the patch was available β€” making it a zero-day in practice, even though Microsoft had not formally labelled it as such in its initial advisory.

What Was Found

The flaw resides in IKEEXT.dll, the Windows component responsible for managing IKEv2 key exchange operations used by VPN connections, site-to-site tunnels, and DirectAccess. A double-free condition (CWE-415) in the IKEEXT::ProcessIKEPayload function is triggered when the function processes malformed nested payloads within a sequence of SA_INIT packets containing an invalid combination of Notify and Proposal payloads. The resulting memory corruption can be leveraged by an attacker to achieve arbitrary code execution in the context of the IKEEXT service β€” which runs as NT AUTHORITY\SYSTEM.

Critically, the attack requires no authentication, no user interaction, and only network access to the target. An adversary anywhere on the internet can deliver a specially crafted sequence of UDP packets to exploit the vulnerability.

Why It Matters

The consequences of a successful exploit are total. SYSTEM-level access enables credential harvesting from LSASS memory, modification of security configurations, termination of endpoint detection and response (EDR) agents, and installation of persistent rootkits β€” all without any warning to the targeted user.

The affected surface is exceptionally broad. CVE-2026-33824 impacts Windows 10 (all supported editions including 1607, 1809, 21H2, and 22H2), Windows 11 (22H2 through 26H1), and Windows Server 2016, 2019, 2022, 23H2, and 2025. In practice, that means every modern Windows enterprise estate is exposed unless patched.

Active exploitation has been confirmed before the release of patches on 14 April 2026, indicating that at least one threat actor had operationalised the technique prior to the fix becoming available. The potential for widespread exploitation post-patch β€” as defenders race against attackers reverse-engineering the update β€” makes urgency critical.

Technical Detail

AttributeDetail
CVECVE-2026-33824
CVSS v3.19.8 (CRITICAL)
Attack vectorNetwork (remote, no authentication)
Root causeDouble free (CWE-415) in IKE payload parsing
ServiceIKEEXT.dll, runs as NT AUTHORITY\SYSTEM
Affected portsUDP 500 (IKE), UDP 4500 (NAT-T)
TriggerMalformed SA_INIT packets with invalid Notify+Proposal combo
Patched inApril 2026 Patch Tuesday (KB5082063, KB5082142, others per version)

The IKEEXT service starts automatically on Windows systems where IKEv2 is enabled. Hosts that have not explicitly disabled this service β€” which includes the vast majority of enterprise Windows deployments β€” are exposed.

  • Apply the April 2026 Patch Tuesday update immediately. All Windows 10, 11, and Server versions receive fixes for CVE-2026-33824. This is the only complete remediation.
  • If patching is not immediately possible, block inbound traffic on UDP port 500 and UDP port 4500 at the network perimeter and on Windows Firewall for all hosts that do not require IKEv2 connectivity.
  • For hosts requiring IKEv2, restrict inbound UDP 500/4500 to known peer IP addresses only. Remove any open-to-internet IKE access where it is not operationally necessary.
  • Audit IKE service exposure using your vulnerability scanner or Intune/SCCM compliance policies β€” identify any internet-facing systems with IKEEXT running and unpatched.
  • Review SIEM alerts for anomalous process creation under svchost.exe hosting IKEEXT, unexpected LSASS access, or suspicious outbound connectivity following IKEv2 SA negotiation attempts.
  • Prioritise Windows Server systems hosting VPN gateways, DirectAccess endpoints, or hybrid Azure connectivity β€” these are the most exposed and most valuable targets.

Broader Context

CVE-2026-33824 adds to a troubling pattern from April’s Patch Tuesday, which also fixed the actively exploited SharePoint zero-day (CVE-2026-32201) and the BlueHammer Windows Defender privilege escalation (CVE-2026-33825). The simultaneous availability of a critical unauthenticated RCE and a reliable local privilege escalation tool means that an attacker who gains a foothold via any means and chains it with BlueHammer has an unobstructed path to SYSTEM. Patch both vulnerabilities as a combined priority, not in isolation.

The IKE service is a legacy VPN substrate that persists in enterprises as DirectAccess deployments age out β€” if your organisation has migrated to Always On VPN or cloud-based zero-trust access, confirm that IKEv2 is disabled on hosts that no longer require it. Reducing attack surface here has compounding security benefit beyond just this CVE.

Share this article