A vulnerability was found in the IPv6 implementation in Windows that allows you to infect computers remotely and unnoticed

Microsoft has warned of the need to install a patch to fix a vulnerability that threatens all Windows systems that use the IPv6 protocol enabled by default. The vulnerability is related to the implementation of TCP/IP – it allows remote code execution, and the likelihood of its exploitation is assessed as high.

Image source: Pete Linforth / pixabay.com

The discovery was made by expert Xiao Wei from Kunlun Lab. The vulnerability, identified as CVE-2024-38063, is caused by an Integer Underflow error and can be exploited to execute arbitrary code on vulnerable Windows 10, Windows 11, and Windows Server systems. The author of the discovery said that due to the degree of the threat, he would not disclose details about the vulnerability in the near future; but warned that blocking IPv6 on the local Windows Firewall will not close the vulnerability, since it is exploited before the firewall processes it.

Unauthenticated attackers can remotely exploit the vulnerability, Microsoft explained, by repeatedly sending IPv6 packets, including specially crafted ones. “Moreover, Microsoft is aware of past exploits of this type of vulnerability. This makes it an attractive target for attackers and thus increases the likelihood of creating exploits,” the company added. Windows users are advised to install this week’s security updates. Completely disabling IPv6 may cause some system components to stop working because it is an integral part of Windows Vista and Windows Server 2008 and later versions.

Dustin Childs, director of threat awareness for Trend Micro’s Zero Day Initiative, called CVE-2024-38063 one of the most serious vulnerabilities fixed in this week’s Windows update. It allows a potential attacker to remotely execute code simply by sending specially crafted IPv6 packets—no victim involvement is required. You can prevent its exploitation by completely blocking IPv6, but this protocol is enabled by default in almost all components. This means that hackers can write a malicious program – a worm, which independently spreads through computer networks, taking advantage of the CVE-2024-38063 error.