CVE-2026-49791: July Updates Fix Windows RRAS Privilege Escalation

Microsoft has fixed CVE-2026-49791, an Important-rated elevation-of-privilege vulnerability in Windows Routing and Remote Access Service that could let a low-privileged local attacker manipulate file access and gain greater control of an affected system. The correction arrived with the July 14, 2026 security updates and applies across supported Windows client and server releases.
Detailed in Microsoft’s Security Update Guide, the vulnerability carries a CVSS 3.1 score of 7.1. Microsoft says it was neither publicly disclosed nor exploited when the update was released, while the Zero Day Initiative also lists it as a local privilege-escalation issue with no known active attacks.
Administrators should include the fix in their normal July Patch Tuesday rollout rather than treating CVE-2026-49791 as an internet-exposed emergency. Its local attack requirements reduce immediate perimeter risk, but the flaw offers exactly the kind of post-compromise capability attackers use after obtaining an initial foothold.

Infographic showing Windows Server RRAS, VPN connections, a CVE attack attempt, and July 2026 protection.RRAS Trusts the Wrong File Target​

CVE-2026-49791 is classified as CWE-59, improper link resolution before file access, commonly called link following. This class of vulnerability occurs when privileged software accesses a path without safely verifying where a symbolic link, junction, mount point, or similar redirection ultimately leads.
In practical terms, an attacker may be able to prepare a link that causes RRAS to operate on a different file or directory than Microsoft intended. If the service subsequently writes, replaces, or deletes that target using elevated permissions, an ordinary account could interfere with protected system resources.
Microsoft’s CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. That scoring describes a local attack with low complexity, requiring low privileges but no action from another user.
The confidentiality impact is rated none, so Microsoft is not describing this as a direct mechanism for stealing protected information. Integrity and availability impacts are both rated high, however, indicating that successful exploitation could allow significant modification of resources or disruption of the affected machine.
Microsoft has marked the vulnerability’s report confidence as confirmed. That designation means the company considers the flaw’s existence and technical basis established, rather than inferred from incomplete research or an unverified report.

Local Does Not Mean Harmless​

CVE-2026-49791 cannot be exploited directly across a network according to Microsoft’s published vector. An attacker first needs authenticated, low-privileged access to the Windows computer and must then execute the exploit locally.
That distinction matters for RRAS because its name naturally suggests a remotely exploitable VPN or routing attack. This vulnerability resides in the Routing and Remote Access Service, but Microsoft’s assessment does not indicate that an anonymous internet user can trigger it merely by sending traffic to an exposed RRAS endpoint.
The more realistic concern is an attack chain. A threat actor could gain an initial foothold through phishing, a compromised application, stolen credentials, or a separate remote-code-execution vulnerability, then use CVE-2026-49791 to escape the restrictions of the compromised account.
Successful privilege escalation can turn a contained user-level incident into a system-level compromise. Depending on the exploit’s final behavior, that could enable tampering with protected files, disabling security controls, installing persistent services, or disrupting the host.
No user interaction is required after the attacker reaches the machine. The low-complexity rating also means Microsoft has not identified unusual timing requirements or difficult environmental conditions that would make exploitation inherently unreliable.
Those characteristics justify prioritizing RRAS servers and shared administrative systems even though Microsoft rated the vulnerability Important rather than Critical. VPN and routing servers often occupy trusted network positions, making the consequences of a privileged compromise potentially broader than the score alone conveys.

The Fix Spans Clients and Servers​

The CVE record lists a wide range of affected Windows releases, including Windows 10, Windows 11, and Windows Server. The affected inventory reaches from older Windows Server installations through Windows Server 2025, including corresponding Server Core deployments.
Named affected platforms include:
  • Windows 10 versions 1607, 1809, 21H2, and 22H2 are affected where those releases remain eligible for updates.
  • Windows 11 versions 24H2, 25H2, and 26H1 are affected.
  • Windows Server 2012 and Windows Server 2012 R2 are affected, including Server Core installations.
  • Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are affected.
The presence of a Windows edition in the CVE inventory does not necessarily mean every machine is actively configured as an RRAS server. It means the vulnerable component is shipped with that Windows release and should be corrected through the applicable cumulative update.
For Windows 11 24H2 and 25H2, July’s fix is included in KB5101650, which advances the systems to builds 26100.8875 and 26200.8875 respectively. Windows 10 21H2 and 22H2 receive the correction through KB5099539, moving eligible installations to builds 19044.7548 and 19045.7548.
Windows 10 requires additional attention because ordinary support for version 22H2 ended on October 14, 2025. Machines still running it need an applicable Extended Security Updates entitlement or another supported servicing path to receive July 2026 protections.
Administrators should not rely solely on whether the RRAS management console appears configured. The safer validation method is to compare installed cumulative updates and OS build numbers against Microsoft’s July release, using tools such as Windows Update, WSUS, Microsoft Configuration Manager, Intune, or an enterprise vulnerability scanner.

Patch the Foothold, Then Audit the Privilege Boundary​

Microsoft has not published a workaround that offers the same protection as installing the security update. Disabling RRAS may reduce exposure on systems where the service is unnecessary, but it should not be treated as a general substitute for updating the vulnerable Windows component.
For servers actively delivering VPN, dial-up, Network Address Translation, or LAN routing services, administrators should test the July cumulative update against their specific configuration. Validation should cover tunnel establishment, authentication, route propagation, certificate use, accounting, and any Network Policy Server integration before broad deployment.
Security teams should also monitor local link-manipulation behavior around privileged services. Unexpected creation of symbolic links or NTFS junctions in writable directories, particularly when followed by privileged file changes, can be a useful investigative signal even though Microsoft has not released public exploit details for this CVE.
The absence of known exploitation on July 14 is reassuring but temporary by nature. Once a patch is available, researchers and attackers can compare updated binaries with older versions to identify the corrected code path, a process commonly known as patch diffing.
CVE-2026-49791 is therefore less a reason to interrupt every workload immediately than a reason to keep July’s Windows cumulative updates moving. Organizations should patch RRAS hosts and other high-trust servers first, confirm that endpoints have reached their corrected build levels, and investigate any system that remains on a pre-July 14, 2026 build without a documented exception.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top