Skip to content
Auto-CTI
Back to all deep dives
ZERO DAY INITIATIVE - BLOG

CVE-2026-33824: Remote Code Execution in Windows IKEv2

HIGH IKEv2 double-free RCE Windows Server
CVE-2026-33824: Remote Code Execution in Windows IKEv2

Strategic summary

A double free vulnerability (CVE-2026-33824) in the Windows IKEv2 service allows unauthenticated remote attackers to crash the service or execute arbitrary code via crafted fragments. The flaw occurs when processing fragments of the Internet Key Exchange protocol, which is used for VPN connections. All supported versions of Windows with IKEv2 are affected. Microsoft has released a patch.

Key findings

  • CVE-2026-33824 is a double free vulnerability in the Windows IKEv2 service.
  • An unauthenticated remote attacker can send specially crafted IKEv2 fragment packets.
  • Successful exploitation may cause the IKEEXT service to crash or allow arbitrary code execution.
  • All currently supported Windows versions with the VPN feature enabled are affected.
  • Microsoft has issued a security update to address this vulnerability.

Relevance for you

A double-free vulnerability in the Windows IKEv2 service allows unauthenticated remote attackers to crash the IKEEXT service or execute arbitrary code by sending crafted packet fragments.

Mentioned CVEs

Risk score

74
cvss base
98.00
kev bonus
0.00
epss bonus
10.00
poc bonus
15.00
raw before weight
123.00
industry weight
1.21
freshness factor
0.50
exploitability factor
1.00
days old
76.00
vendor mismatch penalty
0.00

Path: operational

MITRE ATT&CK mapping

3 TTPs
Recon
Resource Dev
Execution
Persistence
Priv. Escal.
Def. Evasion
Cred. Access
Discovery
Collection
C2
Exfiltration
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1210
Exploitation of Remote Services
Lateral Movement An unauthenticated remote attacker exploits a double free vulnerability in the Windows IKEv2 service (IKEEXT) by sending crafted packets to the target server, potentially achieving arbitrary code execution or crashing the service. high llm
T1499.004
Application or System Exploitation
Impact Successful exploitation of the double free vulnerability in the IKEv2 fragment reassembly process can result in a crash of the IKEEXT service, causing denial of service on the targeted Windows system. high llm
T1133
External Remote Services
Initial Access The vulnerability exists in Windows IKEv2, which is used by the built-in VPN feature. Attackers can target externally exposed IKE/ISAKMP services on UDP port 500/4500 to send crafted fragmented packets and trigger the vulnerability. medium llm
ESC