Patch Tuesday has arrived, and, unlike last month, it’s a busy month for Always On VPN administrators. The June 2025 Microsoft security updates address a whopping 16 (!) vulnerabilities in the Windows Routing and Remote Access Service (RRAS). Notably, DirectAccess administrators are once again impacted by a critical vulnerability in the Windows KDC Proxy Service (KPSSVC) this month.
RRAS
As stated previously, this month’s update addresses 16 unique CVEs in Windows Server RRAS. All are memory-related buffer overflows and out-of-bounds reads, indicating that a security researcher was recently probing for vulnerabilities in RRAS.
- CVE-2025-47998
- CVE-2025-48824
- CVE-2025-49657
- CVE-2025-49663
- CVE-2025-49668
- CVE-2025-49669
- CVE-2025-49670
- CVE-2025-49671
- CVE-2025-49672
- CVE-2025-49673
- CVE-2025-49674
- CVE-2025-49676
- CVE-2025-49681
- CVE-2025-49688
- CVE-2025-49729
- CVE-2025-49753
While all the above CVEs are Remote Code Execution (RCE) and Information Disclosure vulnerabilities, none are rated as Critical; all are rated as Important. This means exploitation is unlikely, but administrators are encouraged to update as soon as possible.
KDC Proxy
This month’s security update includes another Critical RCE in the Windows KDC Proxy Service (KPSSVC).
The KDC Proxy is enabled by default when DirectAccess is configured. By design, this means the service is exposed to the public Internet, posing a significant risk to organizations using DirectAccess for secure remote access. Administrators are urged to update their systems immediately to avoid compromise.
