Critical Windows IKE RCE CVE-2026-33824 — verify the April patch this week

April 17, 2026

An unauthenticated RCE with CVSS 9.8 in the Windows IKE Service Extensions can hit every domain-joined Windows host. Here is how to confirm the April patch actually deployed.

Microsoft patched an unauthenticated remote code execution in the Windows IKE Service Extensions on April 14. CVE-2026-33824 scores CVSS 9.8 and triggers on any Windows system with IPSec enabled — which is effectively the default on domain-joined clients and servers in an M365 Business Premium environment.

Researchers at Zero Day Initiative and CrowdStrike are flagging wormable potential in the EternalBlue class. No public exploit yet, but the window between CVSS 9.8 disclosure and a PoC drop is usually short.

What the vulnerability does

It is a double-free in the component that handles IKE negotiations. An attacker who can send a crafted IKE request to a vulnerable Windows host can achieve SYSTEM-level code execution — no authentication, no user interaction required.

Network access to UDP 500/4500 on an unpatched machine is enough. In a flat SMB network where IPSec policies do not restrict client-to-client traffic, a single compromised device can spread laterally like a worm.

Why Swedish SMBs should care

Most customers we see run hybrid identity, domain-joined clients, and home-office connectivity over VPN or Always On VPN. The IPSec stack is on by default. Firewalls between clients in the same network segment are usually open.

That means CVE-2026-33824 lands squarely in the most common configuration. Pair it with CVE-2026-33827 (TCP/IP race condition, CVSS 8.1, same patch) and CVE-2026-26151 (RDP authentication bypass) and the April cumulative update needs to land everywhere before exploit code drops.

What to do now

Verify the April 14 cumulative update is installed on every Windows client and server. Do not trust Autopatch green — pull an actual Intune compliance report and look at the build number per device.

Push harder policy for non-compliant endpoints. Block from tenant resources via Conditional Access if the customer is on M365 Business Premium.

Check the perimeter firewall. IKE/IPSec traffic from the internet should not reach clients directly. If it does, close it now. Internal segmentation is a longer conversation — start with client/server VLAN separation at minimum.

Review msDS-SupportedEncryptionTypes while you are in AD. The April patch also triggers Phase 2 of Kerberos RC4 hardening, and service accounts without explicit AES encryption risk authentication failure before July.

How HaggeBurger can help

We run a fixed-fee April Patch Health Check — half a day per tenant, compliance report, cleanup on non-compliant endpoints, perimeter exposure review, delivery report to the IT lead. Want us to check your environment? Get in touch.

Sources: BleepingComputer, Zero Day Initiative, Microsoft Security Update Guide.