KB5082198: Windows Server 2016 Security Update (April 2026)
An attacker can take over any Windows Server with IPsec / IKEv2 enabled by sending a single crafted UDP packet, with no credentials.
An attacker who can reach UDP 500 or UDP 4500 on a vulnerable server — and these ports are exposed on the internet for any server acting as a VPN endpoint — can send a crafted IKEv2 packet, trigger the double-free, and execute code in the IKE service. The IKE service runs as SYSTEM, so the attacker lands with the highest privileges on the host, with no authentication and no user interaction.
The Windows Internet Key Exchange (IKE) Service Extensions are the component that negotiates IPsec security associations using IKEv2 — the protocol that establishes the keys behind site-to-site VPNs, "Always-On" VPN, and DirectAccess. A double-free bug in how the service handles memory during IKEv2 packet processing lets an attacker free the same memory twice, corrupt the heap, and gain code execution. The service listens on UDP 500 and 4500 on every Windows host that has IPsec configured.
Probably yes if any of these apply:
Affected OS versions
A retailer's site-to-site VPN endpoint sits on the internet on UDP 500/4500 — the standard configuration. An attacker scans for IKEv2 responders, finds the endpoint, and sends a single crafted packet. The VPN service crashes, the attacker tunes the exploit, and on the next attempt has SYSTEM-level code running on the firewall-segment server. Within minutes they pivot through the trusted VPN tunnel into the corporate network the VPN was supposed to protect.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5082198Manual remediation steps
If you cannot patch immediately
Block inbound UDP 500 and UDP 4500 at the perimeter firewall for any server that is not an intentional VPN endpoint. For intentional endpoints, restrict source addresses to known peers until the patch is applied.
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5082198 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5082198)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5082198
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5082198, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5082198 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.