CVE-2026-33824 BlueHammer: Wormable Windows IKE RCE, CVSS 9.8

This week in our InSEKurity of the Week series: a critical, unauthenticated remote code execution flaw in the Windows Internet Key Exchange (IKE) Service Extensions. A double free in IKEEXT.dll lets a remote attacker reach NT AUTHORITY\SYSTEM on every supported Windows and Windows Server release by sending crafted IKEv2 traffic to UDP/500 or UDP/4500 — no credentials, no user interaction. The Zero Day Initiative has flagged the bug as wormable, a public proof-of-concept nicknamed BlueHammer is already circulating on GitHub, and Microsoft’s exploitability rating is “Exploitation More Likely.” If you run VPN concentrators, RRAS servers, Always On VPN endpoints, or simply have IKEEXT listening on anything reachable from an untrusted network, this one is for you.

🚨 Summary

CVE ID: CVE-2026-33824
EUVD ID: EUVD-2026-22641
Alias: BlueHammer
CVSS 3.1 Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-415 (Double Free)
Affected Software: Windows Internet Key Exchange (IKE) Service Extensions (IKEEXT.dll) on Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2, 25H2, 26H1), and Windows Server 2016 / 2019 / 2022 / 2025 — x86, x64, and ARM64
Attack Vector: Network (remote, unauthenticated) — UDP/500 (IKE) and UDP/4500 (IKE NAT-T)
Authentication Required: None
User Interaction: None
Impact: Remote code execution as NT AUTHORITY\SYSTEM, wormable
Patch Status: ✅ Available (Microsoft, April 14, 2026 Patch Tuesday)
Published: April 14, 2026
Exploitation Status: Public PoC (BlueHammer) on GitHub; Microsoft rates exploitation as “More Likely”; limited reports of in-the-wild probing
CISA KEV: Not listed (as of publication, 2026-04-21)

🖥️ What is the Windows IKE Service?

The Internet Key Exchange (IKE) protocol (RFC 7296 for IKEv2) is the key negotiation layer that underpins IPsec. IKE peers negotiate cryptographic parameters, exchange Diffie-Hellman key material, and authenticate each other before any IPsec-protected data ever flows. IKEv2 runs over UDP, traditionally on port 500, and on port 4500 when NAT traversal is required.

On Windows, IKE is implemented by the IKE and AuthIP IPsec Keying Modules service (IKEEXT), a user-mode service that loads IKEEXT.dll and hands negotiated keys down to the kernel-mode IPsec driver. IKEEXT is present on every modern Windows SKU, runs as LocalSystem, and starts automatically whenever an IPsec policy, a VPN profile, or any component that uses IKE is activated. In practice, that covers a lot of ground:

Typical Use Cases

Remote-access VPN servers: RRAS, Always On VPN, and third-party IKEv2 VPN endpoints terminating employee and site-to-site tunnels.
Site-to-site IPsec gateways: Windows Server acting as an IKEv2 IPsec peer to branch offices, partners, or cloud gateways.
Windows IPsec policies: domain isolation, server isolation, and “boundary” / “encryption” zones configured via Windows Defender Firewall.
DirectAccess infrastructure and legacy IPsec-based tunnel brokers.
Client-side IKEv2 VPN: laptops and mobile clients that respond to IKE traffic on certain network profiles.
Cloud workloads: Windows VMs in Azure, AWS, or GCP exposed to the internet with IPsec enabled and the relevant UDP ports reachable.

Because IKEEXT is load-bearing for IPsec and VPN, it sits on a trust boundary between the untrusted network and a SYSTEM-privileged service. A pre-auth RCE in this exact component is about as bad as remote code execution gets on Windows.

🔍 Technical Analysis

Vulnerability Description

CVE-2026-33824 is a double free memory-corruption flaw (CWE-415) in the Windows IKE Service Extensions. Public analysis places the defect in the IKEv2 payload-processing path inside IKEEXT.dll (reported as IKEEXT::ProcessIKEPayload). When the service parses a malformed IKEv2 message containing invalid nested payloads, the error-handling branch frees an allocation but fails to null out the pointer referencing it. A subsequent cleanup pass frees the same allocation a second time, corrupting heap metadata and handing the attacker a classic heap-corruption primitive that can be groomed into arbitrary write — and from there, into code execution in the context of IKEEXT, which runs as NT AUTHORITY\SYSTEM.

The attacker does not need to complete an IKE_SA_INIT exchange, prove they know a pre-shared key, or present a certificate. The vulnerable parser is reached before any authentication step, on the very first packet of the IKEv2 handshake.

Root Cause Analysis

Use-after-free ordering in the IKEv2 payload parser: the error-handling branch that processes malformed nested payloads calls free() on a payload buffer but leaves the owning pointer intact.
Redundant cleanup path: a later cleanup pass in the same dispatch routine walks the payload chain and frees the still-referenced buffer again — the double free.
Heap-corruption primitive: on modern Windows heap implementations, the double free is exploitable for controlled writes, enabling the attacker to pivot to full code execution.
Pre-authentication reach: the faulty branch sits before the IKE authentication stage. Any packet that reaches IKEEXT on UDP/500 or UDP/4500 can trigger it.
Shared code for server and client roles: both the IKE responder (on VPN / RRAS servers) and the IKE initiator (on client endpoints) consume the same parser, so client-side exposure exists on any machine that actively uses IKEv2.

Attack Vector

A typical exploitation flow looks like this:

# Step 1: Discover reachable IKE endpoints on UDP/500 and UDP/4500.
# The -sU flag tells nmap to probe UDP, and --version-intensity 0 keeps
# things quiet during reconnaissance.
nmap -sU -p 500,4500 --version-intensity 0 \
     --open 203.0.113.0/24 -oG ike-endpoints.gnmap

# Step 2: Confirm the responder is Windows IKEEXT (fingerprint via a
# benign IKE_SA_INIT) -- ike-scan produces a vendor-ID signature that
# identifies Microsoft's IKE implementation.
ike-scan -M -A --id=@attacker 203.0.113.10
# Look for vendor ID strings starting with "MS NT5 ISAKMPOAKLEY" --
# that is the Microsoft IKE stack (IKEEXT on Windows).

# Step 3: Send the crafted malformed IKEv2 payload that triggers the
# double free in IKEEXT::ProcessIKEPayload. The public BlueHammer PoC
# ships a Python/Scapy script that builds this packet and sprays it
# at UDP/500 or UDP/4500.
python3 bluehammer.py --target 203.0.113.10 --port 4500 \
     --shellcode shellcode.bin
# The PoC performs heap grooming, delivers the malformed payload, and
# stages a SYSTEM-level loader on successful exploitation.

# Step 4: Catch the reverse shell / beacon. Because IKEEXT runs as
# NT AUTHORITY\SYSTEM, the attacker's code inherits full SYSTEM context
# without any local privilege escalation step.
nc -nvlp 4444

The command above is illustrative. The actual vulnerability is in the server-side parsing of IKEv2 nested payloads; any functionally equivalent packet that reaches IKEEXT::ProcessIKEPayload triggers the same code path.

A simplified packet-level view of the attack:

Attacker                                                Victim (Windows)
   |                                                          |
   |  UDP/500 or UDP/4500                                     |
   |----- IKEv2 IKE_SA_INIT ---------------------------------->|  IKEEXT.dll parses
   |       (malformed nested payload,                         |  payload chain ->
   |        triggers double free in                           |  free() -> free()
   |        IKEEXT::ProcessIKEPayload)                        |  on same buffer
   |                                                          |  => heap corruption
   |                                                          |
   |<-- SYSTEM shell / C2 beacon ----------------------------<|  shellcode runs
   |                                                          |  as LocalSystem
   v                                                          v

Exploitation in the Wild

2026-04-03 — A GitHub repository publishes exploit code nicknamed BlueHammer targeting a previously unknown double free in Windows IKE Extensions. The code is initially dismissed as unverified.
2026-04-06 — Independent researchers confirm functional exploitation of fully patched Windows Server 2022 machines, prompting private disclosure to Microsoft.
2026-04-14 — Microsoft releases CVE-2026-33824 as part of the April Patch Tuesday rollup. Exploitability assessment: Exploitation More Likely.
2026-04-14 — Zero Day Initiative flags the vulnerability as wormable alongside a separate Windows TCP/IP flaw, giving it a “bug of the month” call-out.
2026-04-15 — 2026-04-21 — Perimeter sensors from several MDR vendors report scanning activity targeting UDP/500 and UDP/4500 on exposed enterprise edges. Confirmed in-the-wild exploitation reports remain limited at the time of writing, and the CVE has not yet been added to the CISA KEV catalog.

Given the pre-auth reach, the public PoC, and the wormable classification, organizations should assume weaponization rather than wait for KEV listing.

Post-Exploitation Impact

SYSTEM-level code execution on the initial host: arbitrary code runs as NT AUTHORITY\SYSTEM inside the IKEEXT service, bypassing any user-context controls.
VPN gateway compromise: on RRAS / Always On VPN / third-party IKEv2 concentrators, the attacker lands directly on the corporate edge with full administrative rights.
Domain pivot: from a compromised VPN gateway or Windows server, the attacker can extract machine credentials, dump LSASS, and move laterally toward domain controllers.
Wormable propagation: since the same vulnerable parser exists on every IKEv2-enabled Windows host, shellcode can scan the internal network for UDP/500 / UDP/4500 and self-replicate.
Persistence below the OS boundary of least privilege: SYSTEM access is sufficient to install services, drivers, scheduled tasks, or EDR-evading implants.
Denial of service: even unsuccessful exploitation attempts can crash IKEEXT, terminating every IPsec tunnel and VPN session on the host.

⚠️ Impact Assessment

Immediate Impact

Pre-auth, network-reachable, CVSS 9.8: no credentials, no user interaction, single crafted IKEv2 packet.
SYSTEM-level code execution: equivalent to full host takeover; no separate LPE required.
Wormable: the same vulnerability exists on every supported Windows SKU, enabling automated lateral propagation.
Public PoC: BlueHammer is already on GitHub; copy-paste weaponization is trivial.
Very large attack surface: any Windows machine with IPsec or IKEv2 VPN enabled on a reachable interface is exposed.

Affected Versions

Platform	Vulnerable	Fixed In
Windows 11 26H1 (x64 / ARM64)	All pre-April 2026 builds	April 2026 Cumulative Update
Windows 11 25H2 (x64 / ARM64)	All pre-April 2026 builds	April 2026 Cumulative Update
Windows 11 24H2 (x64 / ARM64)	All pre-April 2026 builds	April 2026 Cumulative Update
Windows 11 23H2 / 22H2 (x64 / ARM64)	All pre-April 2026 builds	April 2026 Cumulative Update
Windows 10 22H2 / 21H2 / 1809 / 1607 (x86 / x64 / ARM64)	All pre-April 2026 builds	April 2026 Cumulative Update
Windows Server 2025	All pre-April 2026 builds	April 2026 Cumulative Update
Windows Server 2022	All pre-April 2026 builds	April 2026 Cumulative Update
Windows Server 2019	All pre-April 2026 builds	April 2026 Cumulative Update
Windows Server 2016	All pre-April 2026 builds	April 2026 Cumulative Update

Microsoft’s advisory is the authoritative source for the exact KB article and build number per product; always cross-reference MSRC CVE-2026-33824 before deploying.

Affected Environments

Enterprise remote-access VPN: Windows Server running RRAS or Always On VPN with IKEv2, directly reachable on the internet edge.
Site-to-site IPsec gateways: Windows-based IPsec peers at branch offices, cloud landing zones, and partner connections.
Windows Defender Firewall IPsec policies: domain-isolation / server-isolation zones that rely on IKEEXT on every participating host.
Cloud Windows VMs: Azure, AWS, GCP workloads exposed via NSG/SG rules that allow UDP/500 / UDP/4500 inbound.
Client endpoints: laptops running IKEv2 VPN profiles in hotel / conference / coffee-shop networks where hostile peers can send malformed IKE packets.
MSP / managed VPN environments: any multi-tenant gateway built on Windows Server is a single point of failure across customers.

Attacker Profiles

Initial-access brokers: pre-auth SYSTEM on a VPN concentrator is exactly the kind of access sold upstream to ransomware affiliates.
Ransomware operators: wormable SYSTEM-level RCE on Windows Server is a direct path to domain-wide encryption events.
APT groups: strategic compromise of VPN infrastructure enables long-term espionage with implants below the visibility of traditional EDR.
Hacktivists and opportunists: the public PoC lowers the skill barrier to weekend-scale scanning campaigns.
Insiders: an authenticated network foothold plus IKEEXT on an internal Windows server equals full domain compromise without ever touching user-mode auth flows.

🛡️ Mitigation Strategies

Immediate Actions (Priority 1) ⚡

Apply the April 2026 Cumulative Update on every Windows / Windows Server instance:

# Run as Administrator on each host - inventory current build and
# trigger Windows Update scan / install.
Get-ComputerInfo | Select-Object OsName, OsVersion, OsBuildNumber

# Install missing updates non-interactively via the PSWindowsUpdate
# module (install with: Install-Module PSWindowsUpdate -Force).
Import-Module PSWindowsUpdate
Get-WindowsUpdate -MicrosoftUpdate -Install -AcceptAll `
    -IgnoreReboot -Verbose

Confirm the IKE Service Extensions component is patched by checking the file version of IKEEXT.dll:

# IKEEXT.dll lives in %SystemRoot%\System32. The April 2026
# cumulative update bumps its FileVersion -- compare against the
# build listed in Microsoft's advisory for your OS.
Get-Item C:\Windows\System32\IKEEXT.dll |
    Select-Object Name, VersionInfo

Block UDP/500 and UDP/4500 at the perimeter for any host that does not terminate IKE/IPsec traffic:

# Host-level firewall rule - block inbound IKE on hosts that do not
# need to respond on these ports. Add source-IP scopes (-RemoteAddress)
# to restrict to known IPsec peers where IKE is required.
New-NetFirewallRule -DisplayName "Block Inbound IKE (CVE-2026-33824)" `
    -Direction Inbound -Action Block -Protocol UDP `
    -LocalPort 500,4500 -Profile Any

Lock IKE to known peers on hosts that do need IPsec:

# Allow UDP/500 + UDP/4500 only from a whitelist of IPsec gateways /
# branch peers - everything else is dropped at the host firewall.
New-NetFirewallRule -DisplayName "Allow IKE from known peers" `
    -Direction Inbound -Action Allow -Protocol UDP `
    -LocalPort 500,4500 `
    -RemoteAddress 198.51.100.10,198.51.100.11,203.0.113.5 `
    -Profile Any

If IKE / IPsec is not in use at all, disable the service:

# Stop and disable IKEEXT on hosts where no IPsec policy or IKEv2
# VPN profile is deployed. Verify afterwards that no dependent
# services (RRAS, Always On VPN) are needed.
Stop-Service -Name IKEEXT -Force
Set-Service -Name IKEEXT -StartupType Disabled

Reboot and verify: the patch only takes effect after the cumulative update is fully installed and the host is rebooted.

Detection Measures 🔍

No Microsoft-published IoCs exist at the time of writing. Hunt for the symptoms of exploitation: unexpected IKEEXT crashes, suspicious SYSTEM processes spawned from svchost.exe hosting IKEEXT, and unusual IKE traffic from untrusted sources.

# Look for IKEEXT service crashes - double-free attempts will often
# take down the service before a successful exploit succeeds.
Get-WinEvent -FilterHashtable @{
    LogName   = 'System'
    ProviderName = 'Service Control Manager'
} | Where-Object { $_.Message -match 'IKEEXT' } |
    Select-Object TimeCreated, Id, Message -First 50

# Faulting application events for svchost.exe hosting IKEEXT.
Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    Id      = 1000
} | Where-Object { $_.Message -match 'ikeext\.dll' } |
    Select-Object TimeCreated, Message -First 50

# WFP / IPsec operational log - abnormal IKEv2 negotiation failures
# from unexpected source IPs can precede exploitation attempts.
Get-WinEvent -LogName 'Microsoft-Windows-IKEEXT/Operational' `
    -MaxEvents 200 |
    Where-Object { $_.LevelDisplayName -eq 'Error' } |
    Select-Object TimeCreated, Id, Message

Sysmon / EDR hunting:

# Sysmon Event ID 1 (process creation) - any child process of the
# svchost.exe instance hosting IKEEXT is extremely suspicious. Alert
# on process creation where:
#   ParentImage ends with \svchost.exe
#   AND the parent command line contains "-s IKEEXT"
#   AND the child process is NOT a known Windows housekeeping task.

Network-side hunting:

Alert on spikes of UDP/500 or UDP/4500 traffic to Windows hosts that are not IPsec responders.
Alert on fragmented / oversized IKEv2 packets toward any internal Windows host.
Watch perimeter IDS signatures for vendor coverage of CVE-2026-33824 / BlueHammer (Suricata, Snort, Palo Alto, Fortinet, Cisco Firepower).
Alert on new inbound UDP/500 / UDP/4500 flows from external sources to non-gateway Windows hosts.

Long-term Security Improvements

Reduce the IKE attack surface: disable IKEEXT on every Windows host that does not need IPsec. Default-on SYSTEM services that nobody uses are free RCE opportunities.
Segment VPN concentrators: treat RRAS / Always On VPN hosts as tier-0 infrastructure — separate OU, dedicated management network, strict EDR, no shared administrative accounts with the rest of the estate.
Adopt an exposure-management inventory: continuously enumerate which hosts expose UDP/500 and UDP/4500 externally; alert on drift.
Patch-tuesday discipline for network services: Windows services listening on the network edge should be on a 7-day SLA for critical CVEs, not the default 30.
Assume-breach playbooks for VPN gateways: if a gateway is compromised, your domain is a single mimikatz away from falling over. Rehearse the response.
Decommission legacy IKE deployments: audit whether IPsec / IKEv2 is still required; SASE and modern ZTNA architectures often remove the need entirely.

🎯 Why is this Critical?

Pre-auth, CVSS 9.8, SYSTEM-level RCE: no credentials, no user interaction, the worst-case Windows bug class.
Wormable: the same vulnerable parser sits on every supported Windows SKU — classic material for network-propagating malware.
Public PoC already published: BlueHammer on GitHub lowers the bar to “clone, compile, run.”
Massive attack surface: every Windows-based VPN concentrator, every RRAS server, every IPsec-protected host, every cloud VM with IPsec enabled.
SYSTEM context defeats in-OS controls: antivirus, host firewall, credential guard configurations, and user-mode hardening are irrelevant once code runs as NT AUTHORITY\SYSTEM.
VPN gateways are privileged targets: they already sit on the edge, routinely have line-of-sight to domain controllers, and frequently cache machine credentials.
No practical workaround other than patch or isolate: blocking UDP/500 / UDP/4500 works only where IKE is not actually needed — on real VPN concentrators the ports must remain open.

🚀 Timeline and Disclosure

2026-04-03 — BlueHammer PoC code appears on GitHub targeting an unknown double free in Windows IKE Extensions.
2026-04-06 — Independent researchers confirm functional exploitation against fully patched Windows Server 2022.
2026-04-14 — Microsoft publishes CVE-2026-33824 in the April 2026 Patch Tuesday release; exploitability rating “Exploitation More Likely.”
2026-04-14 — Zero Day Initiative assigns the bug a “wormable” classification alongside a separate Windows TCP/IP flaw.
2026-04-17 — NVD publishes the CVSS 3.1 assessment (9.8 CRITICAL).
2026-04-15 — 2026-04-21 — MDR vendors report scanning activity on UDP/500 and UDP/4500 against exposed enterprise edges.
2026-04-21 — CVE not yet added to CISA KEV at the time of writing; public PoC activity continues to grow.

🔗 Resources and References

CVE: CVE-2026-33824
NVD: NVD — CVE-2026-33824
MSRC Advisory: Microsoft Security Update Guide — CVE-2026-33824
CWE: CWE-415: Double Free
IKEv2 RFC: RFC 7296 — Internet Key Exchange Protocol Version 2 (IKEv2)
CISA KEV Catalog: Known Exploited Vulnerabilities

💼 SEKurity Supports You

Vulnerabilities like CVE-2026-33824 are a textbook reminder that any SYSTEM-privileged service listening on the network edge is a strategic risk, not just an operational one. Windows hosts that terminate IKE/IPsec tunnels — VPN concentrators, RRAS servers, cloud gateways, domain-isolation responders — are exactly the assets attackers want, because one successful exploit delivers everything they need to pivot straight into the domain. We help organizations find those exposures before an attacker does, validate that the right hosts really are patched, and stress-test whether compensating controls would actually stop a wormable RCE.

Our Services

Penetration Testing: Web applications, mobile apps (Android & iOS), SAP systems, Active Directory
Large-Scale Attacks: Perimeter testing, IT infrastructure testing, Red Team engagements
Security Awareness: Phishing campaigns, hacking demonstrations

Act now — before attackers do.

Contact:

🌐 Website: www.sekurity.de

📧 Inquiries: www.sekurity.de/kontakt

📱 LinkedIn: SEKurity GmbH

Your SEKurity Team — Your Trusted Adversaries

The security of your VPN and IPsec infrastructure is our drive.

InSEKurity of the Week (CW16/2026): Windows IKE Extensions RCE (CVE-2026-33824)