CVE-2026-50694
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Description
Use after free in Windows Secure Socket Tunneling Protocol (SSTP) allows an unauthorized attacker to execute code over a network.
In plain language
AI Act nowCVE-2026-50694 is a Windows bug that lets a remote attacker run code through SSTP without needing a login, so businesses running affected Windows versions should patch urgently.
CVE-2026-50694 is a use-after-free remote code execution flaw in Windows Secure Socket Tunneling Protocol (SSTP); it can be triggered over the network by an unauthenticated attacker.
What to do now
- Check whether your systems are running Windows and whether SSTP is enabled/used (for VPN/RRAS scenarios that terminate SSTP).
- Identify your exact Windows version/build and compare it to the fixed builds below.
- Patch now to the fixed version for your Windows branch (do not wait for symptoms):
- Windows 10: 10.0.14393.9339 OR 10.0.17763.9020 OR 10.0.19044.7548 OR 10.0.19045.7548
- Windows 11: 10.0.26100.8875 OR 10.0.26200.8875 OR 10.0.28000.2269
- Windows Server 2012: 6.2.9200.26226
- Windows Server 2012 R2: 6.3.9600.23291
- Windows Server 2016: 10.0.14393.9339
- Windows Server 2019: 10.0.17763.9020
- Windows Server 2022: 10.0.20348.5386
- If you can’t patch immediately, reduce exposure by blocking network access to the SSTP/VPN entry points from untrusted networks until updates are applied.
- After patching, verify the update installed successfully and keep an eye on SSTP/VPN-related logs for unusual connection attempts.
CVSS Vector Breakdown
AV:NAttack VectorAC:HAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-50694 and every CVE in our database. Create a free account — no credit card required.
Create Free Account