CRITICALCVSS9.8

|CVE-2022-34721|Auth: none|Reboot: required|Manual only

KB5017367: Windows Server 2012 R2 Security Update (September 2022)

A crafted IKE / IPsec packet can give an attacker SYSTEM-level code execution on any Windows Server with IPsec configured.

Published Sep 13, 2022 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach UDP 500 or UDP 4500 on a Windows host with IPsec / IKE configured — and those ports are exposed on the public internet for any server acting as a VPN endpoint — can send a crafted packet and execute code as SYSTEM. No credentials, no user interaction. IKE RCEs are particularly dangerous because the affected hosts sit at the network perimeter.

How the attack works

The Windows IKE (Internet Key Exchange) and AuthIP IPsec Keying Modules service negotiates IPsec security associations — the key-exchange foundation behind site-to-site VPNs, Always-On VPN, and DirectAccess. The service listens on UDP 500 and UDP 4500 on any host with IPsec configured. A flaw in how IKE / IPsec processes crafted IP packets when IKE and AuthIP IPsec Keying Modules are active in the IKE packet handler lets an attacker corrupt memory and execute code in the SYSTEM context.

Am I affected?Quick check

Probably yes if any of these apply:

●Any Windows host with the IKE and AuthIP IPsec Keying Modules service active

●VPN gateways, Always-On VPN endpoints, DirectAccess servers

●Any server with IPsec policies that respond to IKE handshakes

Affected OS versions

Windows Server 2012 R2

Real-world incidentsWhat we've seen

A retailer's site-to-site VPN endpoint sits on the public internet with UDP 500/4500 open — the standard configuration. An attacker scans for IKEv2 responders, finds the endpoint, sends a crafted packet, and lands SYSTEM on the VPN concentrator. From there they have an authenticated route through the VPN tunnel into the corporate network the VPN was supposed to protect.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5017367

Manual remediation steps

Check whether IPsec / IKE is in use

The IKE and AuthIP IPsec Keying Modules service must be active for this CVE to be reachable:

Get-Service IKEEXT | Select-Object Name, Status, StartType

If the service is stopped or disabled and IPsec is not in use, exposure is minimal. Patch on the standard cadence.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5017367 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5017367

Download the MSU for Windows Server 2012 R2 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5017367
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5017367 /quiet /norestart

Notes

This entry covers Windows Server 2012 R2 specifically (KB5017367). Other Windows Server versions have their own KB for CVE-2022-34721.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721 and NVD https://nvd.nist.gov/vuln/detail/CVE-2022-34721.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2022-34721 ↗ MSRC Advisory ↗ NVD ↗ KBKB5017367