OTPulse

Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

Plan PatchCVSS 9.8CVE-2026-33824Apr 14, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A double-free vulnerability in the Windows IKE (Internet Key Exchange) service extension allows an attacker to execute arbitrary code remotely over the network without authentication. The vulnerability exists in all affected Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 versions. Exploitation is assessed as less likely in the wild, but the critical CVSS score (9.8) reflects the severity if exploited.

What this means
What could happen
An attacker with network access to the IKE service could run arbitrary code on your Windows server or workstation with system privileges, potentially compromising SCADA networks, data historians, or engineering workstations that communicate via IPsec VPN.
Who's at risk
Windows 10 and Windows 11 workstations, Windows Server 2016/2019/2022/2025, and Server Core installations used in SCADA networks, data centers, and as engineering workstations for industrial control systems that rely on IPsec VPN for secure remote access.
How it could be exploited
An attacker sends a specially crafted IKE (Internet Key Exchange) packet to port 500 (UDP) on a vulnerable Windows system. The double-free vulnerability in the IKE extension processing triggers memory corruption, allowing arbitrary code execution without authentication. The attacker gains system-level control and can modify network configurations, access sensitive data, or pivot to other systems on your industrial network.
Prerequisites
  • Network access to UDP port 500 (IKE service)
  • Target must be running a vulnerable Windows version listed in the advisory
  • IKE service must be enabled and listening on the network
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects critical Windows infrastructure used in OT environments
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (27)
27 with fix
ProductAffected VersionsFix Status
Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8644
Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8644
Windows Server 2019All versionsBuild 10.0.17763.8644
Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8644
Windows Server 2022All versionsBuild 10.0.20348.5020
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDRestrict network access to UDP port 500 to only authorized IPsec peers; block this port at the firewall for untrusted networks and external access
WORKAROUNDDisable the IKE service on systems that do not require IPsec VPN functionality
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the April 2026 Windows security update to all affected Windows servers and workstations immediately upon availability
Long-term hardening
0/1
HARDENINGIsolate critical OT systems (PLCs, RTUs, historians) on a segmented network with restricted IPsec connectivity to engineering workstations only
View full vendor advisory
API: /api/v1/advisories/d2e5b8ed-1129-405e-8d35-b980ee9986ae

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability | CVSS 9.8 - OTPulse