Always On VPN Security Updates June 2025

Patch Tuesday is upon us again; thankfully, it’s a light month of Always On VPN administrators. The Microsoft monthly security updates for June 2025 include just a few Windows Routing and Remote Access Service (RRAS) fixes. In addition, an update is available for a vulnerability in the Windows Remote Access Connection Manager. Significantly, DirectAccess administrators are affected this month by a vulnerability identified in the Windows KDC Proxy Service (KPSSVC).

RRAS Updates

The Microsoft security updates for June 2025 address the following CVEs for Windows Server RRAS.

Both RRAS CVEs are Remote Code Execution (RCE) vulnerabilities with max severity ratings of Important.

Remote Access Connection Manager

A security vulnerability in the Windows Remote Access Connection Manager is addressed with the following CVE.

An attacker exploiting this vulnerability could elevate local access privileges.

KDC Proxy

This critical vulnerability affects those organizations still supporting Microsoft DirectAccess in their environments.

This CVE addresses an RCE in the KDC Proxy Service (KPSSVC) that could allow an attacker to execute arbitrary code over the network. DirectAccess administrators are encouraged to apply this update as soon as possible.

Additional Information

Microsoft June 2025 Security Updates

Always On VPN Security Updates May 2025

Once again, it’s the second Tuesday of the month, and Microsoft has published its monthly security updates for May 2025. Once again, this month includes many updates for the Windows Server Routing and Remote Access Service (RRAS) and an update for Active Directory Certificate Services (AD CS).

RRAS Updates

The Microsoft security updates for May 2025 address the following CVEs for Windows Server RRAS.

All the reported vulnerabilities in RRAS this month are information disclosure vulnerabilities, with exploitation unlikely. Most appear to be memory-related (null pointer references, out-of-bounds reads, etc.). None are Remote Code Execution (RCE) vulnerabilities, and none are rated Critical.

AD CS Update

This month’s update release also includes a single CVE addressing a denial of service (DoS) vulnerability in AD CS.

Additional Information

Microsoft May 2025 Security Updates

Always On VPN Security Updates April 2025

Microsoft has published its monthly security updates. Many updates address Routing and Remote Access Service (RRAS) vulnerabilities commonly used in Always On VPN deployments. In addition, an update addresses a vulnerability in Active Directory Certificate Services (AD CS). Always On VPN user and device authentication often rely on AD CS-issued certificates.

RRAS Updates

The April 2025 Microsoft security updates include the following CVEs for Windows Server RRAS.

Only one of these CVEs (26668) is a Remote Code Execution vulnerability. The others are information disclosure vulnerabilities. None of these vulnerabilities are rated Critical; all are rated Important.

AD CS Update

This month’s security update includes the following CVE for AD CS.

Additional Information

Microsoft April 2025 Security Updates