ZERO DAY INITIATIVE - BLOG
CVE-2026-33824: Remote Code Execution in Windows IKEv2
HIGH IKEv2 double-free RCE Windows Server
Strategic summary
A double free vulnerability (CVE-2026-33824) in the Windows IKEv2 service allows unauthenticated remote attackers to crash the service or execute arbitrary code via crafted fragments. The flaw occurs when processing fragments of the Internet Key Exchange protocol, which is used for VPN connections. All supported versions of Windows with IKEv2 are affected. Microsoft has released a patch.
Key findings
- CVE-2026-33824 is a double free vulnerability in the Windows IKEv2 service.
- An unauthenticated remote attacker can send specially crafted IKEv2 fragment packets.
- Successful exploitation may cause the IKEEXT service to crash or allow arbitrary code execution.
- All currently supported Windows versions with the VPN feature enabled are affected.
- Microsoft has issued a security update to address this vulnerability.
Relevance for you
A double-free vulnerability in the Windows IKEv2 service allows unauthenticated remote attackers to crash the IKEEXT service or execute arbitrary code by sending crafted packet fragments.
Mentioned CVEs
Risk score
74
- cvss base
- 98.00
- kev bonus
- 0.00
- epss bonus
- 10.00
- poc bonus
- 15.00
- raw before weight
- 123.00
- industry weight
- 1.21
- freshness factor
- 0.50
- exploitability factor
- 1.00
- days old
- 76.00
- vendor mismatch penalty
- 0.00
Path: operational
MITRE ATT&CK mapping
3 TTPs Recon
Resource Dev
Initial Access
T1133 External Remote Services Execution
Persistence
Priv. Escal.
Def. Evasion
Cred. Access
Discovery
Lateral Mov.
T1210 Exploitation of Remote Services Collection
C2
Exfiltration
Procedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1210 Exploitation of Remote Services | Lateral Movement | An unauthenticated remote attacker exploits a double free vulnerability in the Windows IKEv2 service (IKEEXT) by sending crafted packets to the target server, potentially achieving arbitrary code execution or crashing the service. | high | llm |
| T1499.004 Application or System Exploitation | Impact | Successful exploitation of the double free vulnerability in the IKEv2 fragment reassembly process can result in a crash of the IKEEXT service, causing denial of service on the targeted Windows system. | high | llm |
| T1133 External Remote Services | Initial Access | The vulnerability exists in Windows IKEv2, which is used by the built-in VPN feature. Attackers can target externally exposed IKE/ISAKMP services on UDP port 500/4500 to send crafted fragmented packets and trigger the vulnerability. | medium | llm |