Vulnerability Analysis

CVE-2026-33824 (BlueHammer): Windows IKE Zero-Click RCE & How to Fix It

Executive Summary

CVE-2026-33824, nicknamed BlueHammer, is a zero-click, unauthenticated remote code execution vulnerability in the Windows Internet Key Exchange (IKE) service extension (IKEEXT.dll) with a maximum-severity CVSS score of 9.8. An attacker on the same network — or reachable over UDP ports 500/4500 — can send a precisely crafted 4-packet IKEv2 sequence to gain SYSTEM-level code execution with no credentials and no user interaction. Microsoft patched it on April 14, 2026 (Patch Tuesday); organizations that have not yet applied the April 2026 Cumulative Update are exposed to active exploitation right now.

1. What Is This Vulnerability?

BlueHammer is rooted in a double-free memory corruption bug (CWE-415) inside IKEEXT.dll, the Windows service responsible for negotiating IKE and AuthIP IPsec sessions. During the processing of an incoming SA_INIT packet — the first message in an IKEv2 handshake — the kernel allocates a memory region to hold the parsed Notify and Proposal payloads. Under a specific packet sequence, that same memory region is freed twice, corrupting the heap in a way that attackers can leverage to redirect execution flow.

Attack Vector

The exploit chain works as follows:

  1. Reconnaissance — The attacker identifies a Windows host with UDP/500 or UDP/4500 reachable (VPN gateways, domain controllers with IPsec policies, or any Windows machine where the IKEEXT service is running and reachable).
  2. SA_INIT trigger — A standard IKEv2 SA_INIT request is sent, which the service processes normally and allocates heap memory for.
  3. Malformed follow-up trio — Three rapid follow-up packets with specially crafted Notify and Proposal components trigger the double-free in the same parsing code path. This guarantees a precisely controlled heap layout.
  4. Heap spray / ROP chain — The corrupted heap is used to execute a return-oriented programming (ROP) chain that bypasses ASLR and CFG mitigations.
  5. SYSTEM shell — Arbitrary code executes under NT AUTHORITY\SYSTEM, the highest privilege level on a Windows host.

The entire sequence is zero-click: it requires no authenticated session, no VPN credential, no open browser, and no user action whatsoever.

Real-World Impact

At this CVSS level with a published exploit primitive, BlueHammer carries significant real-world risk:

  • Credential theft — SYSTEM-level access trivially enables LSASS memory dumps for credential harvesting.
  • EDR termination — Attackers can kill endpoint detection agents before conducting further operations.
  • Ransomware staging — A network-facing Windows server compromised silently makes an ideal beachhead for ransomware lateral movement.
  • Domain compromise — Windows Server targets exposed on the same network as Active Directory infrastructure are particularly dangerous entry points.

Security researchers have confirmed proof-of-concept code is circulating privately, and threat intelligence firms assess exploitation-in-the-wild is likely within weeks of publication.

2. Who Is Affected?

Any Windows system where the IKEEXT service is running and UDP 500/4500 is reachable is vulnerable unless the April 2026 Cumulative Update has been applied.

Platform Affected Versions
Windows 10 1607, 1809, 21H2, 22H2
Windows 11 22H2, 23H2, 24H2, 25H2, 26H1
Windows Server 2016, 2019, 2022, 23H2, 2025

Highest-risk deployments:

  • Internet-facing VPN/IPsec endpoints (corporate gateways, Always On VPN servers)
  • Windows domain controllers with IPsec-based domain isolation policies
  • Azure/cloud Windows VMs with management ports exposed
  • Branch office firewalls terminating IKEv2 tunnels on a Windows backend

Lower-risk (but still vulnerable): Workstations on an internal network where UDP/500 is blocked at the perimeter — they're protected externally but remain attackable from a compromised internal host.

3. How to Detect It (Testing)

Manual Testing Steps

  1. Verify IKEEXT service state on the target host:

    Get-Service -Name IKEEXT | Select-Object Name, Status, StartType

    If the service is Running, the attack surface is active.

  2. Check patch level — Confirm whether the April 2026 Cumulative Update has been applied:

    Get-HotFix | Where-Object { $_.InstalledOn -ge '2026-04-14' } | Sort-Object InstalledOn -Descending

    If no hotfixes dated April 14, 2026 or later appear, the system is unpatched.

  3. Inspect open UDP ports from outside the host:

    nmap -sU -p 500,4500 <target_ip>

    Ports appearing as open confirm the IKE service is reachable and exploitable.

  4. Check Windows build version against vulnerable range:

    [System.Environment]::OSVersion.Version
Get-ComputerInfo | Select-Object OsName, OsBuildNumber, OsVersion

Automated Scanning

Tenable Nessus / Tenable.io

  • Plugin ID for CVE-2026-33824 was released April 14, 2026.
  • Run a credentialed scan with the "Windows: Microsoft Bulletins" plugin family enabled.
  • Look for findings tagged CVE-2026-33824 in the results.

Qualys VMDR

  • QID covering this CVE is available in the April 2026 signature update.
  • Filter scan results by CVE ID CVE-2026-33824.

Rapid7 InsightVM

  • Solution microsoft-windows-cve-2026-33824 is available in the vulnerability database.
  • Run an authenticated Windows scan and filter by solution name.

Nmap NSE (network-level exposure check)

# Identify IKE responders on the network
nmap -sU -p 500 --script ike-version <subnet/24>

Any host responding to IKE probes that is also unpatched is a priority target.

Shodan (internet-exposed hosts)

port:500 os:"Windows"

This search surfaces internet-facing Windows IKE responders — a quick way to assess your organization's external exposure.

Code Review Checklist

If you maintain custom IPsec or IKE tooling on Windows:

  • Confirm your application does not expose IKEEXT to untrusted networks directly
  • Verify no Group Policy is pushing IKEv2-based connection security rules to workstations unnecessarily
  • Check that host-based firewall rules restrict UDP/500 and UDP/4500 to known peer IPs only
  • Review any custom IKE policy that permits IKEv1 (legacy) traffic, which shares the vulnerable parsing path

4. How to Fix It (Mitigation)

Step-by-Step Remediation

  1. Apply the April 2026 Cumulative Update immediately. This is the only definitive fix. The patch modifies the double-free code path in IKEEXT.dll so memory is only released once per SA negotiation.

    • Windows Update / WSUS: Approve and deploy update KB5055652 (or the relevant KB for your Windows version — check the Microsoft Update Catalog filtered by April 2026).
    • Microsoft Update Catalog: https://www.catalog.update.microsoft.com — search CVE-2026-33824.
    • winget (Windows 11): 
      winget upgrade --all
    • SCCM / Intune: Force compliance deadline for the April 2026 Cumulative Update within 24–48 hours for internet-facing servers.

  2. Prioritize internet-facing systems first. VPN gateways, Always On VPN servers, and any Windows host with UDP/500 exposed to the internet must be patched before internal workstations.

  3. Reboot required. The patch replaces IKEEXT.dll and the service must restart for the fix to take effect. A system reboot is necessary.

  4. Validate patch installation (see Section 5).

Immediate Workarounds (If Patching Is Not Immediately Possible)

Option A — Disable IKEEXT service This fully eliminates the vulnerable attack surface. Use only if IPsec/IKE is not operationally required.

# Stop and disable the IKE service
Stop-Service -Name IKEEXT -Force
Set-Service -Name IKEEXT -StartupType Disabled

⚠️ Warning: Disabling IKEEXT will break any IPsec-secured communications, Always On VPN connections, or domain isolation policies relying on IKE/AuthIP negotiation.

Option B — Block UDP 500 and 4500 at the perimeter Add egress/ingress firewall rules blocking these ports at your network edge or Windows Firewall:

# Block inbound IKE traffic via Windows Firewall
New-NetFirewallRule -DisplayName "Block IKE UDP 500 (CVE-2026-33824)" `
    -Direction Inbound -Protocol UDP -LocalPort 500 -Action Block

New-NetFirewallRule -DisplayName "Block IKE NAT-T UDP 4500 (CVE-2026-33824)" `
    -Direction Inbound -Protocol UDP -LocalPort 4500 -Action Block

⚠️ This does not fix the vulnerability — it reduces the attack surface. Internal attackers on the same network segment can still exploit it.

Option C — Restrict IKE peers with host-based firewall If IKE is required but only for specific peers, restrict to known IPs:

New-NetFirewallRule -DisplayName "Allow IKE from trusted peers only" `
    -Direction Inbound -Protocol UDP -LocalPort 500 `
    -RemoteAddress "10.0.0.1,10.0.0.2" -Action Allow

New-NetFirewallRule -DisplayName "Block all other IKE" `
    -Direction Inbound -Protocol UDP -LocalPort 500 -Action Block

Configuration Hardening

Even after patching, consider tightening the IKE attack surface:

  • Disable IKEv1 via IPsec policy if only IKEv2 is needed (IKEv1 shares the vulnerable parsing path and has fewer modern cryptographic guarantees).
  • Enable Windows Defender Credential Guard to protect LSASS memory from post-exploitation dumps.
  • Enable Protected Users security group for privileged accounts to limit credential extraction even if SYSTEM is obtained.
  • Deploy Microsoft Defender for Endpoint with Attack Surface Reduction rules enabled — behavioral detections flag double-free exploitation attempts.

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A: Confirm the April 2026 Cumulative Update is installed and IKEEXT.dll version is updated.
  • Scenario B: Confirm IKE/IPsec functionality (VPN connectivity, domain isolation) still works normally post-patch.
  • Scenario C: Confirm the patched host no longer responds to malformed SA_INIT probes in an exploitable way.

Security Test Cases

Test Case 1: Verify patch is applied

  • Precondition: Target system has been rebooted after April 2026 CU installation.
  • Steps: 
    Get-Item "C:\Windows\System32\ikeext.dll" | Select-Object VersionInfo
  • Expected result: The file version reflects the patched April 2026 build (compare against Microsoft's published patched version in the security advisory).

Test Case 2: Verify CVE scanner no longer flags the host

  • Precondition: Patch applied and system rebooted.
  • Steps: Re-run your Nessus/Qualys/InsightVM credentialed scan.
  • Expected result: No finding for CVE-2026-33824 on the target host.

Test Case 3: Verify IKE functionality post-patch

  • Precondition: IPsec or VPN was in use before patching.
  • Steps: Re-establish a VPN tunnel or verify IPsec connection security rules negotiate successfully.
  • Expected result: Tunnel establishes without error; ikeext event log shows successful SA negotiations.

Test Case 4: Firewall rule validation (if workaround applied)

  • Precondition: UDP 500/4500 block rules deployed.
  • Steps: 
    nmap -sU -p 500,4500 <target_ip>
  • Expected result: Ports appear filtered or closed, not open.

Automated Validation Script

# CVE-2026-33824 patch validation script
$patchDate = Get-Date "2026-04-14"
$hotfixes = Get-HotFix | Where-Object { $_.InstalledOn -ge $patchDate }

if ($hotfixes) {
    Write-Host "[PASS] April 2026 or later hotfix found:" -ForegroundColor Green
    $hotfixes | Select-Object HotFixID, InstalledOn | Format-Table
} else {
    Write-Host "[FAIL] No April 2026+ hotfix detected. System may be unpatched." -ForegroundColor Red
}

# Check IKEEXT service state
$svc = Get-Service -Name IKEEXT
Write-Host "`nIKEEXT Service: $($svc.Status) / StartType: $($svc.StartType)"

# Check patched DLL version (compare against your expected patched version)
$dll = Get-Item "C:\Windows\System32\ikeext.dll" -ErrorAction SilentlyContinue
if ($dll) {
    Write-Host "IKEEXT.dll version: $($dll.VersionInfo.FileVersion)"
}

6. Prevention & Hardening

Best Practices

  • Patch immediately on Patch Tuesday cadence. Critical/9.8 CVEs targeting network services should be treated as emergency patches with a 24–48 hour SLA for internet-facing hosts and a 7-day SLA for internal workstations.
  • Minimize exposed services. Audit which Windows hosts truly require IKE/IPsec to be network-accessible, and disable IKEEXT everywhere it isn't needed.
  • Network segmentation. Ensure VPN/IPsec termination hosts are isolated behind dedicated perimeter firewalls that only forward IKE traffic from known peers — not the open internet.
  • Zero-trust architecture. Wherever possible, replace legacy IPsec/IKEv1 tunnels with modern ZTNA solutions that don't rely on IKEEXT at all.

Monitoring & Detection

Even on patched systems, monitor for exploitation attempts:

Windows Event Log (Security)

  • Event ID 4625 / 4648 — suspicious authentication from unknown IPs shortly after IKE activity
  • Event ID 7036 — IKEEXT service state changes (unexpected stops)

Windows Defender / MDE KQL Query (Advanced Hunting)

DeviceProcessEvents
| where InitiatingProcessFileName =~ "ikeext.exe"
| where ProcessCommandLine has_any ("cmd.exe", "powershell.exe", "rundll32.exe")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName

This surfaces any process spawned by the IKE service — a strong indicator of post-exploitation activity.

Network Detection

  • Alert on unexpected UDP/500 traffic from internet IPs to internal Windows hosts.
  • Alert on high-volume or malformed IKE packet sequences (4+ packets in rapid succession from a single source to the same target).
  • SIEM rule: protocol:UDP AND dst_port:500 AND packet_count > 3 AND src:external within a 2-second window.

Threat Intelligence Correlation

  • Subscribe to CISA KEV catalog updates — if BlueHammer is added to the KEV (Known Exploited Vulnerabilities) list, treat it as confirmed active exploitation.
  • Monitor threat intel feeds for BlueHammer PoC releases and IOC updates.

References

Latest from the blog

See all →