Microsoft released the July 2026 Windows security updates today, including several fixes that directly affect Always On VPN deployments. This month’s release addresses vulnerabilities in the Secure Socket Tunneling Protocol (SSTP), Internet Key Exchange (IKE), and the Routing and Remote Access Service (RRAS), making it an important update for organizations using Always On VPN.
SSTP Remote Code Execution
The highest-priority issue for Always On VPN administrators is a Remote Code Execution (RCE) vulnerability affecting the Secure Socket Tunneling Protocol (SSTP). SSTP is commonly used for Always On VPN user tunnel connections. Because SSTP is, by design, exposed directly to the Internet, vulnerabilities affecting this protocol deserve immediate attention. Microsoft rates this vulnerability as Critical with a CVSS base score of 8.1.
CVE-2026-50694 – Windows SSTP Remote Code Execution Vulnerability
IKE Vulnerabilities
These vulnerabilities primarily affect IKE-based VPN connections and could allow an attacker to disrupt VPN connectivity using specially crafted packets. While Microsoft rates these vulnerabilities as Important rather than Critical, organizations should still plan to deploy these updates promptly.
CVE-2026-50721 – IKEv1 Denial of Service via RSA-SHA1 authentication payload
CVE-2026-50722 – IKEv2 Denial of Service via RSA-SHA1 authentication payload
CVE-2026-12413 – IKEv2 Denial of Service via malformed fragmentation
CVE-2026-50696 – IKE Protocol Denial of Service Vulnerability
RRAS Vulnerabilities
The July 2026 security updates also address several vulnerabilities in the Windows Server Routing and Remote Access Service (RRAS). All are rated Important by Microsoft.
CVE-2026-57096 – Windows RRAS Elevation of Privilege Vulnerability
CVE-2026-49791 – Windows RRAS Elevation of Privilege Vulnerability
CVE-2026-50451 – Windows RRAS Elevation of Privilege Vulnerability
Summary
The SSTP RCE vulnerability is particularly concerning because the service is typically exposed to the Internet and could allow an unauthenticated attacker to execute code remotely. Organizations should prioritize deployment of this update. The IKE and RRAS vulnerabilities are rated Important and can generally be addressed during the next scheduled maintenance window, although administrators should avoid unnecessary delays in applying these updates.








