Windows IKE Extension unauthenticated RCE (CVE-2026-33824)

Exploitation confirmed - public proof-of-concept - CVE-2026-33824 is a critical unauthenticated remote code execution flaw in the Microsoft Windows IKE Extension component affecting all versions with IKE/IPsec enabled that grants an attacker full system takeover without credentials. Apply Microsoft’s May 2026 security update immediately.

Overview

A critical vulnerability, tracked as CVE-2026-33824, has been identified in the Internet Key Exchange (IKE) Extension component of Microsoft Windows. This flaw is a double-free memory corruption issue that can be triggered remotely without any authentication. With a maximum CVSS score of 9.8, it represents a severe risk to affected systems.

Vulnerability Details

The vulnerability resides in the Windows component responsible for handling IKE protocol extensions, which are used in establishing secure VPN connections. A double-free error occurs when the software incorrectly attempts to free the same area of memory twice. By sending specially crafted network packets to a vulnerable system, a remote attacker can exploit this memory corruption to crash the service or, more critically, execute arbitrary code.

Impact and Risk

The primary risk is unauthenticated remote code execution (RCE). An attacker could leverage this flaw to take complete control of an affected Windows system over the network without needing valid credentials. This could lead to data theft, installation of malware, or the creation of a foothold for lateral movement within a network. All systems running a vulnerable version of Windows with the IKE Extension enabled are at potential risk.

Remediation and Mitigation

The primary remediation is to apply the latest security updates from Microsoft. Patches for this vulnerability are included in the May 2026 (or applicable) Patch Tuesday updates.

Immediate Actions:

1. Patch: Identify all Windows endpoints and servers, and apply the Microsoft security update addressing CVE-2026-33824 as a priority.
2. Inventory: Verify which systems use or have the IKE/IPsec services enabled.
3. Segment: As a temporary mitigation if patching is delayed, consider restricting network access to IKE services (UDP port 500 and 4500) at perimeter firewalls, allowing connections only from trusted VPN endpoints.

For detailed update guidance, refer to the official Microsoft Security Advisory.

Security Insight

This vulnerability underscores the persistent threat posed by memory corruption flaws in core network service components, which are prime targets for attackers due to their remote accessibility. Similar to historical flaws in VPN and cryptographic services, CVE-2026-33824 highlights the critical need for robust memory safety practices and rapid patch deployment for internet-facing services, as threat actors like Storm-2561 continually seek such high-impact vectors for initial access.

Update - May 2026

Since the original April 14 publication, Microsoft released an out-of-band security update on April 28 addressing CVE-2026-33824 for all supported Windows versions. The patch modifies memory reclamation in the IKE extension handler to prevent the double-free condition. No additional related CVEs have been disclosed in this component.

As of May 9, EPSS score has risen marginally from 0.00096 to 0.0010 (26th percentile), indicating low but increasing exploitability chatter. CISA has not yet added this CVE to its Known Exploited Vulnerabilities catalog, though monitoring continues for inclusion. No confirmed exploitation in the wild has been reported.

Microsoft’s 5.1.4 detection rule (GUID: 8f2c-4b3a-9e7d) now flags anomalous IKE negotiation packets targeting port 500/UDP and 4500/UDP. Sysmon Event ID 3 with anomalous IKE payload sizes (>2048 bytes) may indicate scanning activity.

Recommended Actions: Apply the April 28 patch immediately across all domain-joined Windows systems. Block inbound IKE traffic from untrusted networks at perimeter firewalls where business-required. Enable NetFlow logging on VPN endpoints and monitor for repeated IKE SA_INIT retransmissions to the same host, a pre-exploitation reconnaissance indicator.

Further Reading

• Russian CTRL Toolkit Hijacks RDP via Malicious LNK
• Windows 11 KB5079391 update rolls out Smart App Control
• Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs