CVE-2026-33824: an unauthenticated 9.8 in Windows IKE. The next WannaCry shape, if it gets weaponized.

# CVE-2026-33824: an unauthenticated 9.8 in Windows IKE. The next WannaCry shape, if it gets weaponized.

Microsoft's April 2026 Patch Tuesday shipped fixes for 167 CVEs. One of them, CVE-2026-33824, is a Critical-rated remote code execution flaw in the Windows Internet Key Exchange (IKE) Service Extensions with a CVSS base score of 9.8. It is unauthenticated. It requires no user interaction. It is exploited over UDP ports 500 and 4500. And it affects every supported Windows Server release from 2016 through 2025, plus every supported Windows 10 and Windows 11 edition.

That is the WannaCry shape. Network-reachable. Pre-authentication. Code execution. The two material differences from MS17-010 / EternalBlue are that this is in IKE rather than SMB, and the attack surface is therefore concentrated on Windows machines acting as VPN endpoints or IPsec peers — which is a smaller population than "every Windows Server with port 445 open." That said, the smaller population is still in the seven-figure range based on Shodan exposure data, and a Windows Server running RAS / Always On VPN is by definition a high-value target.

This post walks through what the bug is, the exploit conditions, who is in scope, and the mitigation guidance for environments that cannot patch immediately.

#What the bug is

The Windows IKE Service Extensions module handles IPsec key exchange — the protocol negotiations that establish IPsec tunnels for site-to-site VPN, Always On VPN, RAS, and machine-to-machine IPsec across an Active Directory domain. When the IKE service receives certain specially crafted packets during a key exchange handshake, the implementation has a double-free condition. The same chunk of memory is freed twice during error handling on a malformed packet sequence. With a controllable allocator state, the double free becomes a write primitive. With a write primitive, the attacker shapes the heap to land arbitrary code execution in the kernel-adjacent privilege context of the IKE service.

ZDI's writeup (CVE-2026-33824 was disclosed through Trend Micro's Zero Day Initiative) classifies the bug as exploitable to remote code execution. Microsoft's own assessment is that exploitation is "more likely" — Microsoft's framing for vulnerabilities they expect to see weaponized within 30 days of patch release. As of this writing (early May 2026), no public PoC has been released. That is a matter of days to weeks at the bug class's typical rate.

#What is in scope

The vulnerable surface is any Windows host with the IKE service running on the network. In practice:

High-exposure systems:

• Windows Server with the Routing and Remote Access role configured for VPN
• Windows Server hosting Always On VPN infrastructure
• Windows Server running DirectAccess (legacy, but still deployed in some federal and education environments)
• Domain controllers with IPsec policies that establish machine authentication
• Workstation members of a domain that requires IPsec for SMB or RPC traffic

Lower-exposure but still in scope:

• Workgroup Windows Server hosts with IKE enabled but not actively configured
• Windows 10 / 11 workstations on networks where IPsec is enforced

The packet must reach UDP 500 or UDP 4500. For internet-facing IKE endpoints (a common Always On VPN deployment pattern), this means an attacker on the public internet can deliver the packet directly. For internal-only IPsec deployments, the attacker needs lateral movement first — but if they have lateral movement, this turns it into a hop to RCE on the IKE service host.

#Why this is the WannaCry shape

WannaCry happened because EternalBlue was a wormable, pre-authentication, network-reachable RCE in a service that was internet-exposed at scale. Three properties:

1. Wormable: The exploit can spread without user interaction. A compromised host can reach other hosts and exploit them, propagating like a worm.
2. Pre-authentication: No credentials needed. The exploit fires before any login flow.
3. Network-reachable at scale: Many vulnerable hosts have the affected service exposed on the public internet, so worming is not bottlenecked by lateral-movement requirements.

CVE-2026-33824 has all three properties. IKE's protocol design means a successful exploit can be orchestrated against many hosts in parallel. Pre-authentication is built into the bug. Internet exposure of UDP 500 / 4500 is a known artifact of every Always On VPN deployment.

The fact that Microsoft assessed this as "exploitation more likely" while no PoC is yet public means defenders have a window. The window is short. Conservative estimates are 30 days, faster estimates are 14. After the window closes, the question is not whether attackers will be running this, but how many of them and at what speed.

#What you do this week

The patch landed on April 14, 2026. Three weeks of patching window have already elapsed. If you have not patched, the urgency is now.

Step 1: Inventory IKE-enabled hosts. Run on every Windows Server in your environment:

Get-Service -Name IKEEXT | Format-List Name, Status, StartType
Get-NetIPsecRule | Format-Table -AutoSize

Any host where IKEEXT is Running and not Disabled is in scope.

Step 2: Check internet exposure. Have the network team identify which hosts have UDP 500 or UDP 4500 reachable from the public internet, even if firewall rules theoretically restrict it. Run an external scan from a non-corporate origin to confirm. The number of times an "internal-only" IKE endpoint turns out to be reachable through a misconfigured firewall rule is non-zero.

Step 3: Patch. The Microsoft April 2026 cumulative updates contain the fix. The KB numbers vary by Windows version; the relevant servicing stack updates plus the cumulative are documented in MSRC's advisory. Server reboots are required for the kernel-mode fix to apply.

Step 4: If you cannot patch immediately, restrict UDP 500 / 4500. Block the ports at the perimeter for any Windows host that is not actively functioning as a VPN endpoint. For hosts that *must* serve IKE on those ports, consider source-IP restrictions to the known set of expected peers. Workstations almost never need to receive IKE — they initiate sessions outbound. Block inbound at the host firewall.

Step 5: Audit IPsec rule policy. For environments using domain-wide IPsec, review whether the policy can be relaxed to remove the always-on listening service from non-essential hosts. The most secure version of "patch IKE" is "uninstall IKE on hosts that don't need it."

#Detection if exploitation has already happened

If your environment has internet-facing IKE endpoints, assume the patching window may have elapsed for some attackers. Detection signals:

• Crashes or restarts of the IKE Service Extensions process (IKEEXT) outside of expected maintenance windows
• Unusual outbound connections from the IKE host immediately following an incoming UDP 500 / 4500 packet from an unexpected source
• New scheduled tasks, services, or processes spawned by the IKE service or its parent process tree
• Active Directory authentication anomalies originating from the host (the IKE service runs in a privileged context; post-exploit lateral movement through AD is the natural next step)

Sigma rules and Defender for Endpoint detection content for the bug class are being published as researchers work through the bug. Subscribe to MSRC and Microsoft Defender's threat-analytics feed to track what lands.

#The bigger lesson

The Patch Tuesday volume from the last twelve months tells a story. Microsoft is shipping more critical pre-auth network RCEs in core Windows networking components than at any time since the early Vista era. CVE-2024-38063 (TCP/IP, August 2024). CVE-2025-21391 (Kerberos, February 2025). CVE-2025-32706 (RDP, May 2025). And now CVE-2026-33824.

The pattern is not a Microsoft regression — it is the result of a sustained focus on the pre-auth Windows network stack from offensive researchers, both private and government. Windows is patching as fast as researchers report, but the bugs are real and historical. Every quarter has another one of these.

The defender posture that survives this regime is not faster patching — Microsoft's own patching cadence is the bottleneck and you cannot move faster than the patch ship date. The posture that survives is reduction of the pre-auth network surface. Every Windows Server that does not need IKE should not have IKE running. Every host that does not need SMB exposed beyond a tightly-scoped network should not have SMB on the wire. Every RDP host should be behind a jump server. The smaller the pre-auth surface, the smaller the population of hosts your organization has to crash-patch every time another 9.8 lands.

#How Valtik helps

We audit Windows fleets for pre-auth network surface, IPsec / IKE configuration, RAS / Always On VPN exposure, and the lateral-movement paths that turn perimeter exploits into AD compromise. If your environment includes Windows VPN infrastructure, we can map your CVE-2026-33824 exposure and the mitigations that buy time if patching is constrained. Free external check at valtikstudios.com/free-check. Direct: contact@valtikstudios.com.