Always On VPN Security Updates July 2026

Microsoft released the July 2026 Windows security updates today, including several fixes that directly affect Always On VPN deployments. This month’s release addresses vulnerabilities in the Secure Socket Tunneling Protocol (SSTP), Internet Key Exchange (IKE), and the Routing and Remote Access Service (RRAS), making it an important update for organizations using Always On VPN.

SSTP Remote Code Execution

The highest-priority issue for Always On VPN administrators is a Remote Code Execution (RCE) vulnerability affecting the Secure Socket Tunneling Protocol (SSTP). SSTP is commonly used for Always On VPN user tunnel connections. Because SSTP is, by design, exposed directly to the Internet, vulnerabilities affecting this protocol deserve immediate attention. Microsoft rates this vulnerability as Critical with a CVSS base score of 8.1.

CVE-2026-50694 – Windows SSTP Remote Code Execution Vulnerability

IKE Vulnerabilities

These vulnerabilities primarily affect IKE-based VPN connections and could allow an attacker to disrupt VPN connectivity using specially crafted packets. While Microsoft rates these vulnerabilities as Important rather than Critical, organizations should still plan to deploy these updates promptly.

CVE-2026-50721 – IKEv1 Denial of Service via RSA-SHA1 authentication payload

CVE-2026-50722 – IKEv2 Denial of Service via RSA-SHA1 authentication payload

CVE-2026-12413 – IKEv2 Denial of Service via malformed fragmentation

CVE-2026-50696 – IKE Protocol Denial of Service Vulnerability

RRAS Vulnerabilities

The July 2026 security updates also address several vulnerabilities in the Windows Server Routing and Remote Access Service (RRAS). All are rated Important by Microsoft.

CVE-2026-57096 – Windows RRAS Elevation of Privilege Vulnerability

CVE-2026-49791 – Windows RRAS Elevation of Privilege Vulnerability

CVE-2026-50451 – Windows RRAS Elevation of Privilege Vulnerability

Summary

The SSTP RCE vulnerability is particularly concerning because the service is typically exposed to the Internet and could allow an unauthenticated attacker to execute code remotely. Organizations should prioritize deployment of this update. The IKE and RRAS vulnerabilities are rated Important and can generally be addressed during the next scheduled maintenance window, although administrators should avoid unnecessary delays in applying these updates.

Leave a comment

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading