CRITICALCVSS9.8

|CVE-2022-34718|Auth: none|Reboot: required|Manual only

KB5017367: Windows Server 2012 R2 Security Update (September 2022)

A crafted IPv6 packet can give an attacker SYSTEM-level code execution on any Windows host running IPsec with IPv6 enabled.

Published Sep 13, 2022 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can deliver IPv6 packets to a Windows host with IPsec enabled can send a crafted packet that triggers the reassembly bug and execute code in kernel context. No credentials, no user interaction. IPv6 is enabled by default on every modern Windows host; IPsec is enabled by default on many domain-joined servers and on hosts that participate in any IPsec policy.

How the attack works

The Windows TCP/IP stack is the kernel-mode driver that handles every IP packet. A flaw in the IPv6 fragment reassembly function (Ipv6pReassembleDatagram) lets a crafted IPv6 packet corrupt kernel memory when reassembled on a host with IPsec enabled. Disclosed as "EvilESP" by researchers.

Am I affected?Quick check

Probably yes if any of these apply:

●Every Windows Server with IPv6 enabled AND IPsec configured (the common default)

Affected OS versions

Windows Server 2012 R2

Real-world incidentsWhat we've seen

A corporate environment uses IPsec for tunnel-mode traffic between data centres. Every IPsec endpoint also has IPv6 enabled because that is the Windows default. An attacker who can deliver IPv6 packets to the endpoint — possible from anywhere on the routed network — sends a crafted IPv6 packet and gains kernel-level code execution on a perimeter device.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5017367

Manual remediation steps

Check whether IPsec is in use

Get-Service PolicyAgent | Select-Object Name, Status, StartType
Get-NetIPsecRule -PolicyStore ActiveStore -ErrorAction SilentlyContinue | Select-Object -First 5

Hosts without IPsec active are not vulnerable — but patch regardless.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5017367 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5017367

Download the MSU for Windows Server 2012 R2 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5017367
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5017367 /quiet /norestart

Notes

This entry covers Windows Server 2012 R2 specifically (KB5017367). Other Windows Server versions have their own KB for CVE-2022-34718.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718 and NVD https://nvd.nist.gov/vuln/detail/CVE-2022-34718.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2022-34718 ↗ MSRC Advisory ↗ NVD ↗ KBKB5017367