Always On VPN Security Updates April 2025

Microsoft has published its monthly security updates. Many updates address Routing and Remote Access Service (RRAS) vulnerabilities commonly used in Always On VPN deployments. In addition, an update addresses a vulnerability in Active Directory Certificate Services (AD CS). Always On VPN user and device authentication often rely on AD CS-issued certificates.

RRAS Updates

The April 2025 Microsoft security updates include the following CVEs for Windows Server RRAS.

Only one of these CVEs (26668) is a Remote Code Execution vulnerability. The others are information disclosure vulnerabilities. None of these vulnerabilities are rated Critical; all are rated Important.

AD CS Update

This month’s security update includes the following CVE for AD CS.

Additional Information

Microsoft April 2025 Security Updates

Always On VPN Security Updates December 2024

Microsoft released the December 2024 security updates earlier today, and there are a few important items that Windows Always On VPN administrators should take note of. Specifically, the December 2024 security update includes six CVEs affecting the Windows Server Routing and Remote Access Service (RRAS), commonly used for Always On VPN deployments.

RRAS Updates

This month’s updates for Windows Server RRAS cover the following publicly announced CVEs.

Importance

All of the security vulnerabilities outlined above are Remote Code Execution (RCE) and are rated Important. However, they all require local administrative rights for an attacker to leverage, reducing the risk of compromise. However, administrators are encouraged to update their systems as soon as possible.

Additional Information

Microsoft December 2024 Security Updates

November 2024 Microsoft Security Updates and DirectAccess

With the November 2024 security updates, Microsoft disclosed a vulnerability (CVE-2024-43639) in the Windows Server KDC Proxy service. This is a Remote Code Execution (RCE) vulnerability with a max severity rating of Critical. If you still use Microsoft DirectAccess for remote access, you’ll want to pay close attention to this bulletin.

KDC Proxy and DirectAccess

When DirectAccess is installed and configured, the KDC Proxy Service is enabled automatically and by default. By design, DirectAccess servers are exposed to the Internet, which significantly increases the risk of this vulnerability. Organizations that have deployed DirectAccess are encouraged to update their systems immediately.

Workaround

There is no known workaround available at this time. Apply the latest security updates to mitigate this risk.

Additional Information

Windows KDC Proxy Remote Code Execution Vulnerability

Microsoft DirectAccess Formally Deprecated