Microsoft has disclosed a critical remote code execution (RCE) vulnerability in the Windows Internet Key Exchange (IKE) Service Extensions, tracked as CVE‑2026‑33824. The vulnerability is caused by a double‑free memory handling flaw that can be triggered remotely by an unauthenticated attacker sending specially crafted network traffic to a vulnerable system. Successful exploitation could allow arbitrary code execution with system‑level privileges.

Given that IKE is commonly exposed on network perimeters for IPsec VPN and secure communications, this vulnerability represents a high risk to enterprise and server environments.

 

Vulnerability Details

  • Vulnerability Type: Double-Free Memory Corruption (CWE-415)

  • Exploitation Conditions: The target system must have the IKE service active and reachable via UDP port 500 or 4500.

  • Authentication Required: None

  • User Interaction Required: None

  • Attack Vector: Network

Impact

An attacker who successfully exploits this vulnerability could:

  • Execute arbitrary code remotely

  • Fully compromise the affected system

  • Gain control over confidentiality, integrity, and availability of the host

 

No authentication or user interaction is required, and the attack can be performed over the network, significantly increasing exploitability.

 

Affected Versions

All supported versions of the following platforms are affected prior to installation of the April 2026 cumulative security updates:

  • Windows 10

  • Windows 11

  • Windows Server 2016, 2019, 2022, and 2025

 

Recommended Mitigations

  • Deploy the April 2026 Windows cumulative updates and validate installation against Microsoft security advisory and KB guidance for each OS build.

  • Restrict inbound UDP 500 and UDP 4500 using allow-lists of trusted peers only, at perimeter and host firewall layers where applicable.

  • Disable the IKEEXT service only on systems with no validated business requirement for IPsec or IKE-based VPN and maintain documented exceptions for dependent systems.

 

Detection and Monitoring Guidance

Security teams should:

Monitor perimeter devices and Windows hosts for unexpected or malformed IKE/IPsec traffic

  • Identify unexpected or unauthorised external sources attempting connections over UDP ports 500 and 4500

  • Review VPN and IPsec gateway logs for anomalous connection attempts

  • Prioritise vulnerability scanning coverage for exposed Windows servers

 

References

The Microsoft Knowledge Base (KB) articles for the April 2026 security updates that address CVE-2026-33824 by operating system version:

 

Windows 11 KB Articles

  • Version 25H2: KB5083769 (OS Build 26200.8246)

  • Version 24H2: KB5083769 (OS Build 26100.8246)

  • Version 23H2: KB5082052 (OS Build 22631.6936)

Windows 10 KB Articles

  • Version 22H2: KB5082200 (OS Build 19045.7184)

  • Version 1809: KB5082123

  • Version 1607: KB5082198

 

Windows Server KB Articles

  • Windows Server 2025: KB5082063 (OS Build 26100.32690)

 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touch to find out how you can protect your organisation.

 

Contact Us