Always On VPN Security Updates July 2026

Microsoft released the July 2026 Windows security updates today, including several fixes that directly affect Always On VPN deployments. This month’s release addresses vulnerabilities in the Secure Socket Tunneling Protocol (SSTP), Internet Key Exchange (IKE), and the Routing and Remote Access Service (RRAS), making it an important update for organizations using Always On VPN.

SSTP Remote Code Execution

The highest-priority issue for Always On VPN administrators is a Remote Code Execution (RCE) vulnerability affecting the Secure Socket Tunneling Protocol (SSTP). SSTP is commonly used for Always On VPN user tunnel connections. Because SSTP is, by design, exposed directly to the Internet, vulnerabilities affecting this protocol deserve immediate attention. Microsoft rates this vulnerability as Critical with a CVSS base score of 8.1.

CVE-2026-50694 – Windows SSTP Remote Code Execution Vulnerability

IKE Vulnerabilities

These vulnerabilities primarily affect IKE-based VPN connections and could allow an attacker to disrupt VPN connectivity using specially crafted packets. While Microsoft rates these vulnerabilities as Important rather than Critical, organizations should still plan to deploy these updates promptly.

CVE-2026-50721 – IKEv1 Denial of Service via RSA-SHA1 authentication payload

CVE-2026-50722 – IKEv2 Denial of Service via RSA-SHA1 authentication payload

CVE-2026-12413 – IKEv2 Denial of Service via malformed fragmentation

CVE-2026-50696 – IKE Protocol Denial of Service Vulnerability

RRAS Vulnerabilities

The July 2026 security updates also address several vulnerabilities in the Windows Server Routing and Remote Access Service (RRAS). All are rated Important by Microsoft.

CVE-2026-57096 – Windows RRAS Elevation of Privilege Vulnerability

CVE-2026-49791 – Windows RRAS Elevation of Privilege Vulnerability

CVE-2026-50451 – Windows RRAS Elevation of Privilege Vulnerability

Summary

The SSTP RCE vulnerability is particularly concerning because the service is typically exposed to the Internet and could allow an unauthenticated attacker to execute code remotely. Organizations should prioritize deployment of this update. The IKE and RRAS vulnerabilities are rated Important and can generally be addressed during the next scheduled maintenance window, although administrators should avoid unnecessary delays in applying these updates.

What’s New in Entra Private Network Connector v1.5.4892.0

An important update is available for the Microsoft Entra Private Network Connector. The Entra Private Network Connector is used to publish on-premises web applications to the internet. It is also used for Global Secure Access (GSA) with Entra Private Access, allowing GSA clients to access on-premises resources. Entra Private Network Connector v1.5.4892.0 includes important new functionality to streamline troubleshooting and improve stability and performance.

New Features

The Entra Private Network Connector v1.5.4892.0 now includes a diagnostic tool on the system tray. This gives administrators a visual indicator of connector status and provides quick access to diagnostics and log files.

Diagnostics

Right-clicking the connector and choosing ‘Connector diagnostics’ launches the Connector Diagnostics window. Here you’ll find three tabs: Overview, Health Check, and Advanced Logs.

Overview

The Overview tab provides details about the connector, such as the Tenant ID, Connector ID, version, supported TLS versions, the connector server’s IPv4 address (IPv6 information is not displayed), the server’s hostname, and the operating system version.

Health Check

Clicking on the Health Check tab will perform a comprehensive system health check. Status information for each check is provided, indicating whether it is Passed or Failed. Optionally, administrators can export the report in text, HTML, or JSON format for further analysis. Each health check can be expanded to reveal additional information about the individual check.

Advanced Logs

Clicking the Advanced Logs tab allows administrators to retrieve detailed log information. Session channel logging is enabled by default but can optionally be disabled if needed. You can choose specific start and end dates and times to collect logs, then click Retrieve Logs to collect them.

Once complete, it’s not immediately obvious where to find these logs. Clicking the Logs Retrieved button prompts the administrator to select a location in which to save the log files.

Improvements

This update improves the reliability of name resolution by filtering invalid DNS responses. In addition, the update improves connector logging to the Windows Event Log and fixes various issues and bugs.

Updating to v1.5.4892.0

Existing Entra Private Network Connector installations will not automatically receive this update. Administrators must manually download the connector from the Microsoft Entra admin center and apply the update themselves to take advantage of these new features and capabilities.

Additional Information

Microsoft Entra Private Network Connector v1.5.4892.0

Microsoft Entra Private Network Connector Overview and Deployment Strategies

Preventing Port Exhaustion on Entra Private Network Connector Servers

Windows Server 2025 Marks the End of Microsoft DirectAccess

Well, the time has finally come. Microsoft DirectAccess, first introduced in Windows Server 2008 R2, will be removed from the next release of Windows Server. This means that Windows Server 2025 is officially the end of the line for DirectAccess.

Why Is This Happening?

DirectAccess has had a good run, no doubt. However, DirectAccess is built on legacy technologies, making it difficult to implement and support in modern environments. For example, DirectAccess requires the following:

  • Domain-joined servers and clients
  • Active Directory group policy management
  • NTLMv2 for authentication
  • Complex IPv6 transition and translation technologies

Further, DirectAccess does not support:

  • Modern endpoint management using Microsoft Intune
  • Integration with Entra ID and Entra Conditional Access
  • Fine-grained user access control (zero trust)
  • Windows Professional or other non-Microsoft endpoints

Microsoft’s strategic focus has shifted toward cloud-native identity, device management, and Zero Trust access solutions, making DirectAccess increasingly difficult to align with modern enterprise requirements and ultimately resulting in Microsoft discontinuing DirectAccess.

What’s Next

Organizations should consider migrating from DirectAccess to Always On VPN or Entra Private Access. Always On VPN provides a traditional VPN-based remote access solution with broad deployment flexibility, while Entra Private Access offers a cloud-native Zero Trust approach for accessing private applications and resources.

Migration Path

Organizations currently relying on DirectAccess should begin planning their migration strategy now. Although Windows Server 2025 continues to support DirectAccess, future Windows Server releases will not, making proactive migration planning essential.

Get Expert Guidance on DirectAccess Migration

Every DirectAccess deployment is different. The right migration strategy depends on your existing infrastructure, identity platform, management approach, and security requirements. Complete the form below to discuss your environment and receive guidance on transitioning to Always On VPN or Entra Private Access.

Additional Information

Microsoft DirectAccess Deprecation on Future Windows Server Releases