Advanced

Windows TCP/IP Remote Code Execution Vulnerability: What You Should Know

CVE-2024-38063 is a critical (CVSS 9.8), zero-click, wormable remote code execution vulnerability in the IPv6 implementation of the Windows TCP/IP stack (tcpip.sys), patched during Micros...

Table of Contents

Module 1: The Windows TCP/IP IPv6 Remote Code Execution Vulnerability (CVE-2024-38063)

Vulnerability Overview

In August 2024, Microsoft’s monthly Patch Tuesday release addressed a total of 90 vulnerabilities, nine of which were categorized as zero-days and eight of which were rated critical. Among these, one vulnerability stood out significantly from the rest: CVE-2024-38063, a flaw in the IPv6 implementation of the Windows TCP/IP stack.

What makes this vulnerability especially dangerous is that it is a zero-click, wormable remote code execution vulnerability. An attacker can remotely execute arbitrary code on an affected system without any user interaction whatsoever — no phishing click, no malicious attachment, no social engineering required. Simply having a vulnerable, network-reachable system is enough for an attacker to potentially achieve full system compromise, unauthorized data access, and exposure of sensitive information.

The vulnerability affects any Windows version that supports IPv6 and is still receiving security updates from Microsoft — in practice, this means essentially every currently supported version of Windows, since IPv6 support is built into the modern Windows networking stack and is enabled by default.

mindmap
  root((CVE-2024-38063))
    Nature
      Zero-click
      Wormable
      Remote Code Execution
      No user interaction required
    Affected Component
      tcpip.sys kernel driver
      IPv6 packet processing
    Impact
      Full system compromise
      Unauthorized data access
      Sensitive information exposure
    Context
      August 2024 Patch Tuesday
      1 of 8 critical fixes that month
      1 of 9 zero-days that month

Technical Root Cause: The IPv6 TCP/IP Stack Flaw

The flaw resides in the IPv6 component of the Windows networking stack, specifically within tcpip.sys, the kernel-mode driver responsible for processing network traffic. An attacker exploits this vulnerability by sending specially crafted IPv6 packets to a target machine. Because the flawed parsing logic executes at the kernel level, a successful exploit can result in remote code execution without requiring any interaction from the victim.

According to independent analysis referenced during the discussion (a detailed technical write-up by security researcher Marcus Hutchins of malwaretech.com, who reverse-engineered the patch), the underlying defect essentially boils down to a single flawed line of code in how the IPv6 stack handles packet data — a small logic error with an outsized consequence given that it sits inside a kernel-mode network driver that processes untrusted, attacker-controlled input.

sequenceDiagram
    participant Attacker
    participant Network as Network Path (Internet/LAN)
    participant Target as Target Windows Host
    participant Kernel as tcpip.sys (Kernel Driver)

    Attacker->>Network: Craft malicious IPv6 packet<br/>with malformed extension header
    Network->>Target: Deliver packet to IPv6-enabled interface
    Target->>Kernel: Pass packet to TCP/IP stack for parsing
    Kernel->>Kernel: Flawed parsing logic mishandles<br/>packet/header data (single-line defect)
    Kernel-->>Attacker: Memory corruption enables<br/>arbitrary code execution
    Note over Attacker,Kernel: No user interaction required — fully zero-click

Because the vulnerability lives inside the core packet-processing path of the operating system rather than in an application, it is classified as wormable: a successful exploit could theoretically be used to build self-propagating malware that spreads from one vulnerable, network-reachable host to the next without any user action, similar in class to past wormable Windows networking flaws.

Discovery, Disclosure, and the China Vulnerability Reporting Concern

Microsoft’s advisory credited the discovery of this vulnerability to a security researcher, Xiao Wei, working for a company referred to during the discussion as “Kunlun Lab” (also heard transcribed as “Cyber KunLun”), which is based in the People’s Republic of China.

This detail is significant because of China’s cybersecurity vulnerability disclosure regulations. Under Chinese law, security researchers are required to report the discovery of zero-day vulnerabilities to the Chinese government before notifying the affected vendor or making any public disclosure. The stated rationale from the PRC is that centralizing vulnerability coordination through the government enhances national cybersecurity response. However, this same requirement creates a real risk: it means a state actor could have knowledge of a critical, wormable, zero-click RCE vulnerability well before the affected vendor (in this case, Microsoft) is ever notified — and well before a patch becomes available to defenders.

In this specific case, it was estimated that the Chinese government may have had knowledge of this vulnerability for roughly seven months before Microsoft was alerted and able to issue a fix.

flowchart TD
    A[Researcher discovers zero-day<br/>in Windows IPv6 stack] --> B{Located in China?}
    B -->|Yes| C[Chinese disclosure law requires<br/>reporting to PRC government FIRST]
    C --> D[~7-month gap estimated<br/>before Microsoft is notified]
    D --> E[Potential window for state-level<br/>exploitation before a patch exists]
    E --> F[Microsoft notified and<br/>develops a fix]
    F --> G[August 2024 Patch Tuesday:<br/>CVE-2024-38063 patched]
    B -->|No| H[Standard coordinated<br/>vendor disclosure process]
    H --> F

    style C fill:#f8d7da
    style D fill:#f8d7da
    style E fill:#f8d7da

CVSS Severity Breakdown

The vulnerability carries a CVSS score of 9.8, placing it in the critical severity band. This reflects the combination of network-based attack vector, low attack complexity, no privileges required, no user interaction required, and high impact to confidentiality, integrity, and availability.

CVSS v3.1 MetricValueExplanation
Attack Vector (AV)NetworkExploitable remotely over the network via crafted IPv6 packets
Attack Complexity (AC)LowNo special conditions or timing needed beyond packet delivery
Privileges Required (PR)NoneNo authentication or account access needed
User Interaction (UI)NoneFully zero-click — no victim action required
Scope (S)UnchangedImpact confined to the vulnerable component’s security authority
Confidentiality (C)HighFull exposure of sensitive information possible
Integrity (I)HighAttacker can execute arbitrary code, altering system state
Availability (A)HighFull system compromise can disrupt system availability
Overall Score9.8 (Critical)Among the most severe classes of remotely exploitable vulnerability

Note: The narration states the overall CVSS score of 9.8 explicitly; the individual base-metric breakdown above is a representative decomposition consistent with a 9.8-rated network-based, zero-interaction RCE and is provided for reference rather than quoted verbatim from an advisory.

A Three-Bucket Risk Assessment Framework

A critical distinction raised throughout the discussion is that a CVSS score represents base risk — the theoretical worst-case severity of the flaw itself. An organization’s actual, individual risk depends on additional factors specific to its environment. Those factors can be organized into three buckets:

  1. Vulnerability — Are my IT assets actually vulnerable to CVE-2024-38063 (i.e., are they unpatched)?
  2. Reachability — Are those vulnerable assets reachable from the internet (or from wherever an attacker sits)?
  3. Discoverability — Can IPv6 hosts on the network actually be discovered by an attacker in the first place?
flowchart LR
    A[CVE-2024-38063<br/>Base CVSS 9.8] --> B[Individual Organizational Risk]
    B --> C{Bucket 1<br/>Vulnerability}
    B --> D{Bucket 2<br/>Reachability}
    B --> E{Bucket 3<br/>Discoverability}
    C -->|Are assets patched?| F[Actual Risk Level]
    D -->|Reachable from internet?| F
    E -->|Can hosts be found?| F

    style A fill:#f8d7da
    style F fill:#fff3cd

Bucket 1 — Vulnerability: Are My Assets Affected?

The first and most straightforward bucket to assess is whether an organization’s Windows systems are running the August 2024 Patch Tuesday update or later. A common misconception is that enterprise systems are automatically updated as soon as a patch is released. In practice, enterprises frequently stage and test patches before broad rollout, precisely because a patch can sometimes break other functionality — which means there is often a real window during which supported, in-scope systems remain temporarily unpatched even though a fix exists.

Two practical actions apply here:

  • Patch. Identify any Windows systems that have not yet received the August 2024 (or later) cumulative update, and prioritize getting them patched.
  • Consider disabling IPv6 as a stopgap, if patching cannot happen immediately. However, this is not risk-free: several native Windows operating system features (such as network discovery) depend on IPv6, so disabling it can break other functionality and should be weighed carefully rather than treated as a free workaround.
# Illustrative example: identifying systems missing the August 2024 cumulative update
# (representative approach described in the discussion, not a verbatim script)
$targets = Get-Content .\enterprise-hosts.txt

foreach ($computer in $targets) {
    $patched = Get-HotFix -ComputerName $computer -ErrorAction SilentlyContinue |
        Where-Object { $_.InstalledOn -ge (Get-Date "2024-08-13") }

    [PSCustomObject]@{
        ComputerName = $computer
        AugustPatchTuesdayInstalled = [bool]$patched
    }
}

Bucket 2 — Reachability: Can an Attacker Reach the Target?

Assessing reachability requires thinking through the entire network path from the internet all the way through to the vulnerable endpoint — every hop along that path must support IPv6 for a remote, internet-based attack to succeed.

flowchart LR
    A[Attacker on the Internet] -->|Requires IPv6| B[Attacker's own ISP]
    B -->|Requires IPv6| C[Target's ISP]
    C -->|Requires IPv6| D[Target's Home/Enterprise Router]
    D -->|Requires IPv6| E[Target's Windows Endpoint]
    E --> F{Is the endpoint's<br/>IPv6 address routable?}
    F -->|Starts with fe80::<br/>link-local, non-routable| G[Not reachable from<br/>the public internet]
    F -->|Starts with 2 or 3<br/>globally routable| H[Potentially reachable<br/>from the public internet]

    style G fill:#d4edda
    style H fill:#f8d7da

Several practical observations from the discussion narrow the real-world attack surface:

  • Not every ISP provides IPv6 to its customers, though most now do.
  • Consumer-grade home routers frequently do not enable or forward IPv6 at all.
  • Even where IPv6 is enabled on an endpoint, the address may be non-routable link-local (starting with fe80::), rather than a globally routable address (starting with 2 or 3) — link-local addresses cannot be reached directly from the public internet.
  • IPv6 adoption in the enterprise is still relatively limited compared to the mobile carrier space, where IPv6 usage is much more heavily concentrated. This means the attack surface for internet-facing exploitation is proportionally larger among mobile-network-connected devices than among typical corporate LAN endpoints.
  • A secondary consideration for enterprises is whether mobile devices with IPv6 exposure are being used to hotspot or bridge connectivity to corporate devices, which could indirectly extend the reachable attack surface into an otherwise IPv6-limited corporate network.

Global IPv6 adoption statistics (drawn from Google’s public real-time IPv6 usage statistics) show a fairly consistent adoption rate of roughly 40–45% of global traffic over the past year. Interestingly, this data reveals a weekly cadence: usage consistently spikes on weekends, and additional elevated usage appears during the December holiday period. This pattern correlates strongly with increased mobile phone usage during these periods, reinforcing that mobile carrier networks — not enterprise networks — are the dominant driver of global IPv6 traffic.

ObservationDetail
Baseline global IPv6 usage~40–45% of measured traffic
Weekly patternNoticeable usage spikes on weekends
Seasonal patternElevated usage during the December holiday period
Likely driverIncreased mobile device usage during these periods
Enterprise vs. mobileMobile carrier networks are much heavier IPv6 users than typical enterprise networks

Geographic exposure scanning data (referenced from Censys, alongside similar visibility available on Shodan) further shows that a large number of internet-facing, non-hosted (i.e., directly exposed) Windows systems remain unpatched, concentrated most heavily in high population-density regions — unsurprising, since scanning services like Censys and Shodan only observe devices that are actually reachable on the public internet in the first place.

flowchart TD
    A[Global IPv6 Traffic Sources] --> B[Mobile Carrier Networks]
    A --> C[Enterprise Networks]
    B -->|Dominant, ~correlates with<br/>weekend/holiday spikes| D[Higher IPv6 exposure surface]
    C -->|Limited adoption| E[Lower IPv6 exposure surface]
    D --> F[Censys/Shodan visibility of<br/>unpatched exposed hosts]
    E --> F

Bucket 3 — Discoverability: Can Vulnerable Hosts Be Found?

The third bucket — discoverability — is arguably the most favorable factor working in defenders’ favor. Discovering IPv6 addresses is meaningfully harder for an attacker than discovering IPv4 addresses, for a simple structural reason: most modern operating systems randomize the last 64 bits of an IPv6 address, and that randomized portion changes frequently over time.

This randomization makes both active and passive discovery of IPv6 hosts substantially more difficult than IPv4 host discovery, where address spaces are small enough to be exhaustively scanned. An attacker attempting to build a target list of vulnerable IPv6 endpoints faces a much larger, constantly shifting address space to search.

flowchart LR
    A[IPv4 Host Discovery] -->|Small address space| B[Exhaustive scanning feasible]
    C[IPv6 Host Discovery] -->|Last 64 bits randomized<br/>and change frequently| D[Exhaustive scanning<br/>impractical]
    D --> E[Active and passive discovery<br/>both significantly harder]

    style B fill:#f8d7da
    style E fill:#d4edda

Response and Remediation Guidance

The primary and unambiguous response to this vulnerability is to patch affected systems to the August 2024 Patch Tuesday level or later. As with most vulnerabilities of this class, the fundamental risk driver is running unpatched software, and the fix directly eliminates that exposure.

Beyond patching, two additional response actions are worth considering:

  • Enterprise-wide patch scanning. Use PowerShell or equivalent enterprise tooling to scan the environment and identify which systems are still missing the relevant patch, so remediation can be prioritized and tracked to completion.
  • Disabling IPv6 as a workaround (with caveats). While disabling IPv6 removes the specific attack surface for this vulnerability, it is not a cost-free decision. Native Windows features — including network discovery — rely on IPv6, so disabling it can have operational side effects that need to be evaluated before rollout.
flowchart TD
    A[CVE-2024-38063 Identified] --> B{Is the August 2024<br/>patch or later installed?}
    B -->|Yes| C[System is remediated]
    B -->|No| D{Can the patch be<br/>applied immediately?}
    D -->|Yes| E[Apply patch]
    E --> C
    D -->|No, needs testing/staging| F{Is IPv6 required<br/>for business functions?}
    F -->|No| G[Consider temporarily<br/>disabling IPv6]
    F -->|Yes| H[Accept residual risk<br/>and expedite patch testing]
    G --> I[Monitor for operational impact<br/>e.g. network discovery breakage]
    H --> J[Prioritize patch rollout]

    style A fill:#f8d7da
    style C fill:#d4edda
Mitigation OptionEffectivenessTrade-off / Consideration
Apply August 2024 (or later) cumulative updateFully remediates the flawStandard patch testing and rollout timelines apply
Enterprise-wide patch compliance scan (PowerShell or equivalent)Identifies remaining exposureRequires an existing inventory of enterprise hosts
Temporarily disable IPv6Removes the specific attack surfaceCan break native Windows features (e.g., network discovery) and other IPv6-dependent functionality
Network segmentation / restrict IPv6 routabilityReduces reachability from the internetDoes not address internally reachable, unpatched hosts

Detection Guidance: Inspecting IPv6 Extension Headers

Microsoft’s advisory did not provide extensive detection guidance for this vulnerability. In the absence of vendor-provided detection signatures, the recommended approach is to inspect network traffic for unusual IPv6 extension headers. In the overwhelming majority of legitimate cases (90%+), the IPv6 extension header will indicate that the payload is TCP, UDP, or ICMPv6. Traffic where the extension header indicates something other than these three protocols is comparatively unusual and worth flagging for further review — while also excluding known-benign multicast traffic (such as the ff02::16 multicast address used by routers) to reduce noise.

flowchart TD
    A[Capture IPv6 traffic] --> B{Extension header<br/>indicates protocol?}
    B -->|TCP, UDP, or ICMPv6<br/>~90%+ of legitimate traffic| C[Treat as normal traffic]
    B -->|Something else| D{Destination is<br/>ff02::16 multicast?}
    D -->|Yes, router multicast| C
    D -->|No| E[Flag for further investigation<br/>as potentially unusual/malicious]

    style E fill:#f8d7da
    style C fill:#d4edda
# Illustrative example: flagging IPv6 traffic whose extension header does not
# indicate TCP, UDP, or ICMPv6, while excluding the ff02::16 router multicast
# address. This is a conceptual reconstruction of the detection approach
# described in the discussion, not a literal command provided in the source
# material — tune protocol/offset matching to your specific capture tooling.
tcpdump -i any 'ip6 and not (ip6 proto tcp or ip6 proto udp or ip6 proto icmp6) and not dst host ff02::16'

This is explicitly framed as not a guaranteed detection method — it is a reasonable starting point in the absence of more specific vendor guidance, and one that should be tuned and refined to fit a given organization’s traffic patterns and IPv6 usage.

Summary

CVE-2024-38063 is a critical (CVSS 9.8), zero-click, wormable remote code execution vulnerability in the IPv6 implementation of the Windows TCP/IP stack (tcpip.sys), patched during Microsoft’s August 2024 Patch Tuesday release. A specially crafted IPv6 packet sent to a vulnerable, IPv6-enabled Windows system can trigger arbitrary code execution with no user interaction at all, making unpatched, internet- or network-reachable systems a serious concern.

The vulnerability was discovered by a researcher affiliated with a China-based security firm, and China’s vulnerability disclosure laws mean the Chinese government may have had visibility into this flaw for an estimated seven months before Microsoft was notified — a meaningful consideration when evaluating whether sophisticated, state-level actors may have had an exploitation head start.

Assessing real-world organizational risk requires moving beyond the base CVSS score and evaluating three factors: whether assets are actually vulnerable (unpatched), whether they are reachable (the full network path from the internet to the endpoint supports IPv6 and the address is globally routable), and whether they are discoverable (IPv6 address randomization makes this meaningfully harder than IPv4 host discovery). Global data shows IPv6 usage concentrated more heavily in mobile networks than in enterprise environments, which somewhat narrows the practical attack surface for many organizations, though this should not be treated as a substitute for patching.

Mitigation Checklist

  • Confirm the August 2024 Patch Tuesday update (or later) is installed on all Windows systems that support IPv6.
  • Run an enterprise-wide compliance scan to identify any systems still missing the relevant patch.
  • Prioritize patch testing and rollout for systems that were held back for compatibility testing.
  • Evaluate whether IPv6 can be safely disabled as a temporary stopgap on systems that cannot be patched immediately, weighing the operational impact on features like network discovery.
  • Assess reachability: determine which systems have globally routable (not link-local) IPv6 addresses and whether they are exposed to the internet.
  • Consider whether mobile devices with IPv6 connectivity could bridge or hotspot corporate devices, indirectly extending the reachable attack surface.
  • Deploy network monitoring to flag IPv6 traffic with unusual extension headers (not TCP/UDP/ICMPv6), excluding known router multicast traffic, as a supplementary detection measure.
  • Treat the seven-month potential foreign-government awareness window as a driver for expedited patching rather than routine-cycle patching.
  • Document and track remediation status as part of standard vulnerability management reporting.

Search Terms

windows · tcp · ip · remote · execution · vulnerability · know · briefings · networking · systems · security · ipv6 · bucket · guidance

More Vulnerability Briefings courses

View all 30

Interested in this course?

Contact us to book it or get a custom training plan for your team.