A vulnerability was recently discovered in IPv6, the protocol created with the goal of enabling new, longer, and more complex types of IP addresses. On Tuesday, August 13, Microsoft issued a statement about this “zero‑click” vulnerability, which has been assigned the code CVE‑2024‑38063.
This remote code execution (RCE) vulnerability affects all Windows systems with IPv6 enabled, making it a potential threat to millions of devices worldwide.
Remote Code Execution (RCE) is a vulnerability that allows an attacker to run malicious commands or programs on a remote system by exploiting a software flaw. This enables the attacker to perform unauthorized actions such as accessing data, installing malware, or even taking full control of the affected system. This type of vulnerability is especially serious because it allows the attacker to manipulate the system as if they were the legitimate owner.
Vulnerability Description
This vulnerability, discovered by researcher XiaoWei from Kunlun Lab, has been classified as critical with a CVSSv3 score of 9.8. It can be exploited remotely by sending specially crafted IPv6 packets to a target without requiring any user interaction, which is why it is categorized as a zero‑click vulnerability.
This security flaw is related to an integer underflow (CWE‑191) and can be exploited by attackers to overflow the buffer and execute arbitrary code on vulnerable Windows systems.
If an attacker successfully exploits the vulnerability, they could execute code on the target system with SYSTEM‑level privileges, allowing them to take full control of the compromised machine.
Additionally, the vulnerability is considered “wormable”, meaning it could potentially propagate automatically between vulnerable systems, significantly increasing its reach and potential impact.
Importance of the Vulnerability
This vulnerability is extremely dangerous because it allows attackers to compromise a system without any user interaction (zero‑click), making it almost undetectable and very difficult to prevent. In addition, the malicious code executes with system‑level privileges, giving the attacker full control over the device and allowing them to install malware, steal data, or take remote control. The ease of exploitation further increases the risk, making this a critical vulnerability that must be addressed urgently to prevent significant damage.
Proof of Concept
In the proof of concept (PoC) published by researcher Ynwarcs, the technical steps required to exploit the vulnerability are detailed. These steps involve precise manipulation of packets and header fields, which triggers unexpected behavior during the IPv6 packet reassembly process.
According to the researcher, the key to exploiting CVE‑2024‑38063 lies in forcing a timeout during IPv6 packet reassembly. This leads to an integer underflow, followed by a buffer overflow.
A brief outline of how this vulnerability can be exploited is as follows:
▪️Manipulated IPv6 packet — An attacker crafts a malicious IPv6 packet containing
executable code. This packet is specifically designed to exploit a flaw in the way
Windows handles IPv6 packets.
▪️Packet delivery — The attacker sends the malicious packet to the IP address of the
target machine.
▪️Packet processing — When the system receives the packet, Windows processes it
incorrectly due to a flaw in the TCP/IP stack, allowing the injected malicious code
to execute.
▪️Execution of malicious code — The malicious code runs with SYSTEM‑level
privileges, granting the attacker full control over the compromised device.
Proof‑of‑Concept Links
https://github.com/ynwarcs/CVE-2024-38063
https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html
Video Proof of Concept
https://www.youtube.com/watch?v=MMIg54MCpOw
https://www.youtube.com/watch?v=r-fqJaHRoHs
Affected Platforms
The affected platforms include, in addition to the versions that are no longer supported:
▪️Windows 10
▪️Windows 11
▪️Windows Server 2008
▪️Windows Server 2012
▪️Windows Server 2016
▪️Windows Server 2019
▪️Windows Server 2022
▪️Windows Server 2025
Prevention and Mitigation
The most effective way to protect against this vulnerability is to apply the security patch provided by Microsoft.
It is important to note, as indicated by XiaoWei from Kunlun Lab, that disabling IPv6 in the Windows Firewall will not prevent exploitation, because the vulnerability is triggered before packets are processed by the firewall.
Steps to disable IPv6
Click on the Start menu and select Settings, then click on Network & Internet.
Then click Change adapter options.
In the Status section, click Change adapter options.
Next, right‑click on the adapter or network connection you are using (for example, Ethernet or Wi‑Fi) and select Properties.
In the list of items, uncheck the box next to Internet Protocol Version 6 (TCP/IPv6).
And finally, click OK to apply the changes.
If updating immediately is not possible, Microsoft suggests disabling IPv6 to reduce the attack surface. However, it also clarifies that IPv6 is an integral part of Windows Vista and later versions, so disabling it could affect the operation of some components of the operating system.