Microsoft has provided details on a critical Windows security vulnerability that allows hackers full remote code execution over IPv6, as detailed in the MSRC CVE-2024-38063 guidance. This allows attackers to run anything they wish to steal information and data, monitor users, and cause havoc. Users of affected Windows OSs should apply the August patches immediately or disable IPv6 in the network card device manager.

The zero-click attack has a Common Vulnerability Scoring System (CVSS 3.1) rating of 9.8, an extremely critical security vulnerability, because attackers do not require user accounts and passwords of target computers. The attackers also do not require any user action for the breach to occur.

Microsoft has not fully disclosed the details of this vulnerability, first reported by Cyber KunLun, due to the ease with which hackers can use this information to create hacking tools. However, the company did note that the vulnerability exists due to poorly written code that allows an integer underflow condition to occur, opening the door to attacks.

Affected Windows OSs include Windows Server 2008 through 2022, Windows 10, and Windows 11 32-bit and 64-bit versions. A comprehensive list of affected Windows OSs along with links to the appropriate August 2024 patches is published in the MSRC CVE-2024-38063 guidance.

All Windows users should immediately install the August 2024 security patch or disable IPv6.