Always On VPN Security Updates July 2025

Patch Tuesday has arrived, and, unlike last month, it’s a busy month for Always On VPN administrators. The June 2025 Microsoft security updates address a whopping 16 (!) vulnerabilities in the Windows Routing and Remote Access Service (RRAS). Notably, DirectAccess administrators are once again impacted by a critical vulnerability in the Windows KDC Proxy Service (KPSSVC) this month.

RRAS

As stated previously, this month’s update addresses 16 unique CVEs in Windows Server RRAS. All are memory-related buffer overflows and out-of-bounds reads, indicating that a security researcher was recently probing for vulnerabilities in RRAS.

While all the above CVEs are Remote Code Execution (RCE) and Information Disclosure vulnerabilities, none are rated as Critical; all are rated as Important. This means exploitation is unlikely, but administrators are encouraged to update as soon as possible.

KDC Proxy

This month’s security update includes another Critical RCE in the Windows KDC Proxy Service (KPSSVC).

The KDC Proxy is enabled by default when DirectAccess is configured. By design, this means the service is exposed to the public Internet, posing a significant risk to organizations using DirectAccess for secure remote access. Administrators are urged to update their systems immediately to avoid compromise.

Additional Information

Microsoft July 2025 Security Updates

November 2024 Microsoft Security Updates and DirectAccess

With the November 2024 security updates, Microsoft disclosed a vulnerability (CVE-2024-43639) in the Windows Server KDC Proxy service. This is a Remote Code Execution (RCE) vulnerability with a max severity rating of Critical. If you still use Microsoft DirectAccess for remote access, you’ll want to pay close attention to this bulletin.

KDC Proxy and DirectAccess

When DirectAccess is installed and configured, the KDC Proxy Service is enabled automatically and by default. By design, DirectAccess servers are exposed to the Internet, which significantly increases the risk of this vulnerability. Organizations that have deployed DirectAccess are encouraged to update their systems immediately.

Workaround

There is no known workaround available at this time. Apply the latest security updates to mitigate this risk.

Additional Information

Windows KDC Proxy Remote Code Execution Vulnerability

Microsoft DirectAccess Formally Deprecated

DirectAccess Fails on Windows 11 24H2

Microsoft recently released Windows 11 24H2. Not long after the release there have been numerous reports of DirectAccess failing after performing an in-place upgrade from previous versions of Windows 11. New installations of Windows 11 24H2 experience the same problem.

Update 10/28/2024: This issue is resolved with KB5044384.

Testing

After downloading and configuring a Windows 11 24H2 test client I was able to quickly reproduce the issue. While previous versions of Windows 11 can connect to my test DirectAccess server without issue, the Windows 11 24H2 client fails.

Troubleshooting

Looking at the DirectAccess status indicator in the UI the DirectAccess connection remains ‘Connecting’ perpetually. Further investigation indicates an IP-HTTPS interface error. Running the command netsh.exe interface httpstunnel show interface reveals an error code 0x57 (invalid parameter) with the following error message.

Failed to connect to the IPHTTPS server. Waiting to reconnect.

Workaround

Currently there is no known root cause for this issue and there is no available workaround. Administrators should delay upgrading to Windows 11 24H2 if DirectAccess is deployed in the organization. I will continue to investigate and post additional information as I learn more. Stay tuned!

Additional Information

Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0109

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

Troubleshooting DirectAccess IP-HTTPS Error 0x80090326

Troubleshooting DirectAccess IP-HTTPS Error 0x2af9

Microsoft DirectAccess Now Formally Deprecated