CVE-2026-33827: Windows TCP/IP Stack RCE — Unauthenticated, Wormable [Critical · CVSS 9.8]
CVSS 9.8
⚠ WORMABLE
Published April 19, 2026
CVE-2026-33827
A critical unauthenticated remote code execution vulnerability in the Windows TCP/IP stack.
Analysed by Sujit Mahakhud · Microsoft Sentinel Specialist · secbyte.in | April 19, 2026
⚡ Executive Summary
A critical unauthenticated RCE vulnerability in the Windows TCP/IP stack (CVE-2026-33827, CVSS 9.8) allows attackers to execute arbitrary code with SYSTEM privileges by sending specially crafted network packets. No authentication or user interaction is required, making this wormable.
🔑 Auth Required: None
👤 User Interaction: None
🔬 Technical Details
A critical unauthenticated remote code execution vulnerability exists in the Windows TCP/IP stack. An unauthenticated attacker can send specially crafted packets to a target system, triggering memory corruption in the kernel-mode driver and achieving arbitrary code execution with SYSTEM privileges. No user interaction is required, making this suitable for wormable exploitation across unpatched networks.
| CVE ID | CVE-2026-33827 |
| CVSS Score | 9.8 (CRITICAL) |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Published | April 19, 2026 |
| Weakness | CWE-122 CWE-787 |
🎯 Impact Assessment
If exploited: Full system compromise, data theft, lateral movement, ransomware deployment. No authentication or user interaction required — suitable for wormable propagation across unpatched networks. Patch immediately.
🛡 Microsoft Sentinel KQL Detection
Table: DeviceProcessEvents
// CVE-2026-33827 — Wormable RCE Detection via Suspicious Process Spawning
DeviceProcessEvents
| where TimeGenerated > ago(24h)
// Services commonly abused by TCP/IP stack exploits
| where InitiatingProcessFileName in~ (
"svchost.exe", "System", "smss.exe", "lsass.exe"
)
// Post-exploitation child processes — should NEVER spawn from kernel services
| where FileName in~ (
"cmd.exe", "powershell.exe", "pwsh.exe",
"net.exe", "whoami.exe", "certutil.exe", "bitsadmin.exe",
"regsvr32.exe", "mshta.exe", "wscript.exe"
)
| extend CVE = "CVE-2026-33827"
| project
TimeGenerated, DeviceName, CVE,
ParentProcess = InitiatingProcessFileName,
ChildProcess = FileName,
CommandLine = ProcessCommandLine,
AccountName
| sort by TimeGenerated desc
💡 Deploy in Sentinel → Analytics → Create rule. Tune threshold to your environment.
🔧 Mitigation & Recommendations
- Step 1: Apply the Microsoft security patch immediately via Windows Update or WSUS. Refer to the official MSRC advisory for patch details.
- Step 2: Restrict inbound TCP traffic to affected systems using firewall rules. Block unnecessary exposure to the internet until patching is confirmed.
- Step 3: Deploy the KQL detection query above in Microsoft Sentinel → Analytics. Set alert frequency to every 5 minutes given the Critical severity.
- Step 4: Treat as P1 incident. Activate your vulnerability management process, notify stakeholders, and target full patch deployment within 24–48 hours.
- Step 5: If immediate patching is not possible, isolate affected hosts or disable the vulnerable service as a compensating control until patching is complete.
📎 References
Sujit Mahakhud
Microsoft Sentinel Specialist · secbyte.in
Sujit is a cybersecurity practitioner with 31+ years of experience, specialising in Microsoft Sentinel, SOC operations, and enterprise threat detection. He helps security teams cut through noise and focus on real threats.