CVE-2026-33824 — Windows IKEv2 remote code execution
CVE-2026-33824 is a critical double-free in Windows IKE Extension (IKEEXT)
that can allow unauthenticated remote code execution via crafted IKEv2 packets.
A notable public exploit-analysis write-up was published on 2026-04-23,
making this a high-priority hardening target for internet-facing VPN gateways.
When to use it
- A repository owns Windows fleet, VPN gateway, Always-On VPN, cloud image, firewall, or runbook definitions for systems with IKEv2/IPsec exposure.
- UDP
500or4500is reachable from untrusted networks, partner networks, VPN clients, or broad internal segments. - Patch evidence, KB inventory, image baseline, or effective firewall evidence is missing or inconsistent across Windows release trains.
- You need a bounded change request or triage note that pairs patch rollout with temporary exposure reduction.
Inputs
- Windows image baselines, endpoint management policy, firewall rules, cloud security groups, VPN gateway configs, routing/ACLs, CMDB exports, runbooks, and patch compliance reports.
- Scoped host groups, Windows release train, KB/hotfix evidence, IKE service
state, effective UDP
500/4500reachability, peer allow-lists, and rollout owners. - Available patch inventory, firewall/routing validation, configuration compliance checks, change-window evidence, and vulnerability scan results.
Affected versions
- Vulnerable: Windows systems with vulnerable April 2026 patch level and IKEv2 reachable.
- Fixed: Microsoft security update that remediates CVE-2026-33824.
Indicator-of-exposure
- Host runs IKEv2/IPsec services.
- UDP ports
500and/or4500are reachable from untrusted networks. - April 2026 security updates not yet applied.
Quick checks:
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20
Get-NetFirewallRule -Enabled True | Where-Object { $_.DisplayName -match 'IKE|IPsec' }
netstat -ano | findstr ":500 :4500"
Remediation strategy
- Apply Microsoft’s security update addressing CVE-2026-33824.
- If patch rollout is staged, temporarily restrict/deny inbound UDP 500/4500 except known VPN peers.
- Audit VPN gateways and Always-On VPN endpoints first (highest blast radius).
The prompt
You are remediating CVE-2026-33824 (Windows IKEv2 RCE). Produce exactly one
output:
- A change request/runbook update with patch + exposure reduction actions, or
- TRIAGE.md if patch deployment is blocked.
## Rules
- Scope only CVE-2026-33824.
- Prioritize internet-facing IKEv2 gateways.
- Do not claim remediation unless both patch status and network exposure checks
are documented.
## Steps
1. Inventory Windows systems with IKEv2 enabled and exposed on UDP 500/4500.
2. Validate patch status for CVE-2026-33824 on each asset group.
3. For unpatched systems, add immediate mitigation:
- block inbound UDP 500/4500 where IKE is unnecessary, or
- allow-list known peers only.
4. Produce rollout plan applying the April 2026 security update.
5. Add verification plan:
- patch evidence (KB/hotfix inventory),
- firewall/routing evidence for UDP 500/4500 controls.
6. Output title:
`fix(sec): mitigate and remediate CVE-2026-33824 (Windows IKEv2)`.
## Stop conditions
- Target fleet has no IKEv2 exposure.
- Patch identification data is unavailable for this environment.
- Required firewall changes cannot be validated safely.
Verification — what the reviewer looks for
- Patch evidence exists for scoped systems.
- UDP 500/4500 exposure is explicitly reduced or justified.
- Remaining risk (if any) has owner + deadline.
Output contract
- Reviewer-ready change request or runbook update documenting patch evidence
and effective UDP
500/4500exposure for every scoped Windows IKEv2 group. - Temporary firewall, ACL, VPN peer allow-list, or routing containment for unpatched systems where IKEv2 remains reachable.
- Operator notes covering rollout order, KB/update evidence, validation commands, remaining risk owner, and deadline.
TRIAGE.mdwhen patch inventory, fleet ownership, or firewall authority is outside this repository.
Watch for
- Looking only at Windows desktop fleets while VPN gateways, Always-On VPN servers, and cloud Windows images keep IKEv2 exposed.
- Treating a firewall rule name as proof of containment without checking the effective inbound UDP 500/4500 path.
- Assuming a host is safe because it is behind NAT while peers or VPN clients can still reach IKE.
- Patching without recording the exact KB/update evidence reviewers need for the scoped Windows release train.
Related recipes
- Critical infrastructure secure context
- CVE intelligence intake gate
- Source code supply-chain build integrity audit
References
- ZDI technical analysis (2026-04-23): https://www.zerodayinitiative.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2
- Microsoft advisory record: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33824