Always On VPN November 2023 Security Updates

Microsoft has released its security updates for November 2023. For Always On VPN administrators, it’s a light month, with just a single CVE affecting Always On VPN infrastructure.


CVE-2023-36028 addresses a remote code execution (RCE) vulnerability in the Microsoft Protected Extensible Authentication Protocol (PEAP). An attacker could exploit this vulnerability by sending a specially crafted PEAP packet to a Windows Network Policy Server (NPS). This attack does not require authentication or user interaction.

Affected Systems

This PEAP vulnerability affects only NPS servers configured to support PEAP authentication explicitly. PEAP authentication is a best practice configuration for Always On VPN deployments and is widely deployed. NPS servers deployed to support other services, such as Wi-Fi or router and switch access that are configured to allow PEAP authentication, are also affected.


NPS servers are not (or should not be!) exposed directly to the public Internet. This limits the attack surface to adversaries already on the internal network.


Microsoft suggests disabling PEAP authentication support on NPS servers until the update is applied. However, this would break the majority of Always On VPN deployments today. Since disabling PEAP isn’t a viable option, administrators can reduce their attack surface by updating the NPS firewall rules to restrict access only to authorized VPN servers or other network devices until their systems are fully updated.

Additional Information

November 2023 Security Updates

CVE-2023-36028 PEAP Remote Code Execution Vulnerability

Leave a comment


  1. David Henderson

     /  November 15, 2023

    Hi Richard, Do you know if the updates has been released for Server 2022 via windows Update yet… My servers seem to be showing as “up to date” even though last installed updates where October I thought update where released on 14th this month ? (I am located in UK)

    • They should be. I just checked and all my test systems updated last night (early this morning, technically). Not sure if there’s a delay for the UK, but I wouldn’t think so.

      Give it another shot today and let me know what happens.

  2. Martin Asanza

     /  November 15, 2023

    server updated. thanks for the heads up.


Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading