← CIO Briefings · Critical Impact ACTION REQUIRED

Wormable Windows Network Vulnerability Requires Immediate Patching — All IPv6-Enabled Networks at Risk

A race condition in the Windows TCP/IP stack allows self-propagating, unauthenticated remote code execution across networks with IPv6 enabled — which is the default configuration for all modern Windows systems. Demonstrated at Pwn2Own 2026 and patched in April's Patch Tuesday, unpatched organisations face a threat capable of spreading automatically from a single compromised host across entire network segments, comparable in propagation characteristics to EternalBlue.

4 min read

What Happened

Microsoft’s April 2026 Patch Tuesday included a fix for CVE-2026-33827, a race condition in the Windows TCP/IP network driver. The vulnerability was demonstrated at Pwn2Own 2026 — a security competition where researchers demonstrate working exploits against fully patched systems — confirming that exploitation is technically feasible, not theoretical.

An attacker on the same network as an unpatched Windows system can exploit this vulnerability without any credentials, without any action from a user on the target machine, and without any prior access to the organisation’s network beyond being network-adjacent. If the attacker’s code successfully executes, the compromised machine can then automatically attempt to exploit other unpatched Windows systems on the same network segment.

This self-spreading capability — called “wormable” — is what makes this vulnerability significantly more dangerous than its CVSS score of 8.1 suggests.

Business Impact

  • All modern Windows systems are affected by default: IPv6 is enabled on every modern Windows installation out of the box. This is not a niche configuration — it is the standard state of every Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 installation unless explicitly changed.
  • Worm propagation multiplies the blast radius: A single unpatched workstation or server connected to your network can become the source of an automated attack against every other unpatched system on the same network segment — without any further attacker involvement.
  • Two weeks since Patch Tuesday means exposure is ongoing: The April Patch Tuesday was released April 15. Many enterprise environments are still completing their patch deployment cycle. Every unpatched system represents a potential entry point and propagation source.
  • Similar risk profile to EternalBlue: The WannaCry ransomware that encrypted hundreds of thousands of systems worldwide in 2017 used a comparable wormable vulnerability. WannaCry caused an estimated $4–8 billion in global damages. The characteristics here — unauthenticated, wormable, affecting all Windows versions — are the same class of risk.

Board-Ready Summary

  • A vulnerability has been confirmed in all modern Windows systems that allows an attacker to automatically spread from computer to computer across your network without requiring passwords or any action from your staff
  • This is the same type of vulnerability that powered WannaCry ransomware in 2017 — the patch Microsoft released two weeks ago stops it
  • Your security team needs to confirm that the April Windows security update has been deployed to all systems, not just the most critical servers, and report completion status

Immediate — within 24 hours:

  1. Query your patch management system for the April 2026 cumulative update deployment status across all Windows endpoints. Prioritise servers first, particularly those with broad network adjacency (domain controllers, file servers, database servers, systems in data centre environments with flat networking)
  2. For any system that cannot be patched immediately, disable IPv6 via Group Policy as a temporary compensating control: Set-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6 -Enabled $false — disable IPv6 only where it is not operationally required; test for impact first in non-production

Within 48 hours: 3. Validate patch deployment completion for Windows Server environments, with specific attention to virtualisation hosts — an ESXi or Hyper-V host running multiple unpatched Windows VMs provides an attacker multiple lateral movement targets from a single entry point 4. Review network segmentation posture: confirm that production server segments are not broadcast-adjacent to user workstation segments, which would allow worm propagation from a compromised workstation to server infrastructure

Ongoing: 5. Enable alerting on anomalous internal scanning behaviour — a host generating high-rate, destination-diverse TCP connection attempts on internal IP ranges is a signature of worm activity. Add or verify this detection in your SIEM 6. Accelerate patch deployment cadence for April Patch Tuesday across remaining endpoints and ensure patch deployment reporting is visible to the security team, not just IT operations