Microsoft has published its monthly security updates. Many updates address Routing and Remote Access Service (RRAS) vulnerabilities commonly used in Always On VPN deployments. In addition, an update addresses a vulnerability in Active Directory Certificate Services (AD CS). Always On VPN user and device authentication often rely on AD CS-issued certificates.
RRAS Updates
The April 2025 Microsoft security updates include the following CVEs for Windows Server RRAS.
- CVE-2025-21203
- CVE-2025-26664
- CVE-2025-26667
- CVE-2025-26668 (RCE)
- CVE-2025-26669
- CVE-2025-26672
- CVE-2025-26676
- CVE-2025-27474
Only one of these CVEs (26668) is a Remote Code Execution vulnerability. The others are information disclosure vulnerabilities. None of these vulnerabilities are rated Critical; all are rated Important.
AD CS Update
This month’s security update includes the following CVE for AD CS.
- CVE-2025-27740 – AD CS Elevation of Privilege Vulnerability