CVE-2026-33824 — Windows IKEv2 remote code execution

CVE-2026-33824 is a critical double-free in Windows IKE Extension (IKEEXT) that can allow unauthenticated remote code execution via crafted IKEv2 packets. A notable public exploit-analysis write-up was published on 2026-04-23, making this a high-priority hardening target for internet-facing VPN gateways.

When to use it

  • A repository owns Windows fleet, VPN gateway, Always-On VPN, cloud image, firewall, or runbook definitions for systems with IKEv2/IPsec exposure.
  • UDP 500 or 4500 is reachable from untrusted networks, partner networks, VPN clients, or broad internal segments.
  • Patch evidence, KB inventory, image baseline, or effective firewall evidence is missing or inconsistent across Windows release trains.
  • You need a bounded change request or triage note that pairs patch rollout with temporary exposure reduction.

Inputs

  • Windows image baselines, endpoint management policy, firewall rules, cloud security groups, VPN gateway configs, routing/ACLs, CMDB exports, runbooks, and patch compliance reports.
  • Scoped host groups, Windows release train, KB/hotfix evidence, IKE service state, effective UDP 500/4500 reachability, peer allow-lists, and rollout owners.
  • Available patch inventory, firewall/routing validation, configuration compliance checks, change-window evidence, and vulnerability scan results.

Affected versions

  • Vulnerable: Windows systems with vulnerable April 2026 patch level and IKEv2 reachable.
  • Fixed: Microsoft security update that remediates CVE-2026-33824.

Indicator-of-exposure

  • Host runs IKEv2/IPsec services.
  • UDP ports 500 and/or 4500 are reachable from untrusted networks.
  • April 2026 security updates not yet applied.

Quick checks:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20
Get-NetFirewallRule -Enabled True | Where-Object { $_.DisplayName -match 'IKE|IPsec' }
netstat -ano | findstr ":500 :4500"

Remediation strategy

  • Apply Microsoft’s security update addressing CVE-2026-33824.
  • If patch rollout is staged, temporarily restrict/deny inbound UDP 500/4500 except known VPN peers.
  • Audit VPN gateways and Always-On VPN endpoints first (highest blast radius).

The prompt

You are remediating CVE-2026-33824 (Windows IKEv2 RCE). Produce exactly one
output:

- A change request/runbook update with patch + exposure reduction actions, or
- TRIAGE.md if patch deployment is blocked.

## Rules

- Scope only CVE-2026-33824.
- Prioritize internet-facing IKEv2 gateways.
- Do not claim remediation unless both patch status and network exposure checks
  are documented.

## Steps

1. Inventory Windows systems with IKEv2 enabled and exposed on UDP 500/4500.
2. Validate patch status for CVE-2026-33824 on each asset group.
3. For unpatched systems, add immediate mitigation:
   - block inbound UDP 500/4500 where IKE is unnecessary, or
   - allow-list known peers only.
4. Produce rollout plan applying the April 2026 security update.
5. Add verification plan:
   - patch evidence (KB/hotfix inventory),
   - firewall/routing evidence for UDP 500/4500 controls.
6. Output title:
   `fix(sec): mitigate and remediate CVE-2026-33824 (Windows IKEv2)`.

## Stop conditions

- Target fleet has no IKEv2 exposure.
- Patch identification data is unavailable for this environment.
- Required firewall changes cannot be validated safely.

Verification — what the reviewer looks for

  • Patch evidence exists for scoped systems.
  • UDP 500/4500 exposure is explicitly reduced or justified.
  • Remaining risk (if any) has owner + deadline.

Output contract

  • Reviewer-ready change request or runbook update documenting patch evidence and effective UDP 500/4500 exposure for every scoped Windows IKEv2 group.
  • Temporary firewall, ACL, VPN peer allow-list, or routing containment for unpatched systems where IKEv2 remains reachable.
  • Operator notes covering rollout order, KB/update evidence, validation commands, remaining risk owner, and deadline.
  • TRIAGE.md when patch inventory, fleet ownership, or firewall authority is outside this repository.

Watch for

  • Looking only at Windows desktop fleets while VPN gateways, Always-On VPN servers, and cloud Windows images keep IKEv2 exposed.
  • Treating a firewall rule name as proof of containment without checking the effective inbound UDP 500/4500 path.
  • Assuming a host is safe because it is behind NAT while peers or VPN clients can still reach IKE.
  • Patching without recording the exact KB/update evidence reviewers need for the scoped Windows release train.

References