CVE-2026-50694 – Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

CVSS 8.1 IMPORTANT Critical or Zero Day – Immediate Deployment

“A single malicious VPN packet can become a direct path to server compromise when protocol handling fails.”

A use-after-free vulnerability in Windows Secure Socket Tunneling Protocol allows an unauthorized attacker to execute arbitrary code over a network. An attacker can target a vulnerable SSTP server by sending a specially crafted malicious packet. No privileges or user interaction are required, but exploitation has high attack complexity.

CVSS Score: 8.1

SEVERITY: Critical

THREAT:
This vulnerability affects Windows SSTP, a protocol used to carry VPN traffic over HTTPS. A successful attack could allow remote code execution on the server, potentially enabling malware deployment, unauthorized access to sensitive information, service disruption, or further compromise of the surrounding network.

EXPLOITS:
Microsoft assesses exploitation as unlikely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven. The data does not confirm public disclosure, active exploitation, or publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by a use-after-free condition (CWE-416) in Windows Secure Socket Tunneling Protocol. The flaw occurs when the SSTP component accesses memory after it has already been released. An attacker can send a specially crafted SSTP packet to a vulnerable server, potentially causing memory corruption and arbitrary code execution. The CVSS v3.1 metrics identify a network attack vector, high attack complexity, no privileges required, and no user interaction.

EXPLOITABILITY:
Affected products include Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 24H2, 25H2, and 26H1, and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including affected Server Core installations. Exploitation requires specially crafted SSTP traffic to reach a vulnerable server, but no authentication or user interaction is required.

BUSINESS IMPACT:
SSTP may be exposed on systems that provide remote-access VPN services. Successful exploitation could compromise an internet-facing server, expose sensitive data, disrupt remote connectivity, and provide attackers with a foothold for broader attacks against enterprise systems.

WORKAROUND:
No mitigations or workarounds are available.

URGENCY:
This vulnerability should be prioritized because it is rated Critical and can lead to remote code execution without authentication or user interaction. Although exploitation requires complex conditions and Microsoft assesses it as unlikely, successful exploitation could result in full compromise of an SSTP server.

Key Details

Affected Product
Microsoft Windows 10 1607
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
CWE Classification
CWE-416
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.