OTPulse

Windows TCP/IP Remote Code Execution Vulnerability

Plan PatchCVSS 8.1CVE-2026-33827Apr 14, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A race condition in the Windows TCP/IP stack allows an unauthenticated attacker on the network to execute arbitrary code by sending specially crafted network packets. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server 2016, 2019, 2022, and 2025 across 32-bit, 64-bit, and ARM64 architectures. Exploitation is considered less likely in the wild, but the remote code execution capability poses significant risk to networked control system components.

What this means
What could happen
An attacker on the network could execute code on Windows systems running vulnerable TCP/IP stacks, potentially allowing them to take control of the device and modify process setpoints, disable safety interlocks, or disrupt critical operations in water treatment or power distribution systems.
Who's at risk
Water utilities and electric utilities running Windows 10 (versions 1607, 1809, 21H2, 22H2) or Windows 11/Server 2016/2019/2022/2025 should be concerned if these systems are used for HMI workstations, historian servers, data acquisition systems, or any networked engineering stations. Windows Server Core installations are also affected if used in control system networks.
How it could be exploited
An attacker sends specially crafted TCP/IP packets to a vulnerable Windows system over the network. The packets exploit a timing flaw (race condition) in how Windows handles concurrent network connections, allowing the attacker to run arbitrary code with the same privileges as the network service processing the traffic.
Prerequisites
  • Network access to the affected Windows system
  • No authentication required
  • Attacker must send network traffic that triggers the race condition timing window
remotely exploitableno authentication requiredaffects critical infrastructurerace condition complexity may limit practical exploitability
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (27)
27 with fix
ProductAffected VersionsFix Status
Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8644
Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8644
Windows Server 2019All versionsBuild 10.0.17763.8644
Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8644
Windows Server 2022All versionsBuild 10.0.20348.5020
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict network access to Windows servers running SCADA, HMI, or other critical control systems to authorized subnets only using firewall rules
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Microsoft April 2026 security update to all affected Windows versions (see fixed versions in product list)
Long-term hardening
0/1
HARDENINGSegment control systems onto isolated networks with minimal external connectivity where operationally feasible
View full vendor advisory
API: /api/v1/advisories/40c8b218-1163-4fa8-8276-d37312b2e8f7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.