CVE-2026-33824: Remote Code Execution in Windows IKEv2

This report provides technical detection guidance for an IKEv2-related exploit: monitor UDP ports 500 and 4500 for an IKE_SA_INIT packet containing the Microsoft Security Realm Vendor ID (16-byte sequence) followed, within the same IKE session, by a fragmented IKE_AUTH (Encrypted Fragment / SKF) packet containing a specific 4-byte marker. It specifies exact byte offsets (accounting for the 4-byte non-ESP marker on port 4500), the hex sequences to match, and the correlation logic required to consider traffic malicious.