Always On VPN Security Updates May 2025

Once again, it’s the second Tuesday of the month, and Microsoft has published its monthly security updates for May 2025. Once again, this month includes many updates for the Windows Server Routing and Remote Access Service (RRAS) and an update for Active Directory Certificate Services (AD CS).

RRAS Updates

The Microsoft security updates for May 2025 address the following CVEs for Windows Server RRAS.

All the reported vulnerabilities in RRAS this month are information disclosure vulnerabilities, with exploitation unlikely. Most appear to be memory-related (null pointer references, out-of-bounds reads, etc.). None are Remote Code Execution (RCE) vulnerabilities, and none are rated Critical.

AD CS Update

This month’s update release also includes a single CVE addressing a denial of service (DoS) vulnerability in AD CS.

Additional Information

Microsoft May 2025 Security Updates

Always On VPN Security Updates April 2025

Microsoft has published its monthly security updates. Many updates address Routing and Remote Access Service (RRAS) vulnerabilities commonly used in Always On VPN deployments. In addition, an update addresses a vulnerability in Active Directory Certificate Services (AD CS). Always On VPN user and device authentication often rely on AD CS-issued certificates.

RRAS Updates

The April 2025 Microsoft security updates include the following CVEs for Windows Server RRAS.

Only one of these CVEs (26668) is a Remote Code Execution vulnerability. The others are information disclosure vulnerabilities. None of these vulnerabilities are rated Critical; all are rated Important.

AD CS Update

This month’s security update includes the following CVE for AD CS.

Additional Information

Microsoft April 2025 Security Updates

Always On VPN Security Updates December 2024

Microsoft released the December 2024 security updates earlier today, and there are a few important items that Windows Always On VPN administrators should take note of. Specifically, the December 2024 security update includes six CVEs affecting the Windows Server Routing and Remote Access Service (RRAS), commonly used for Always On VPN deployments.

RRAS Updates

This month’s updates for Windows Server RRAS cover the following publicly announced CVEs.

Importance

All of the security vulnerabilities outlined above are Remote Code Execution (RCE) and are rated Important. However, they all require local administrative rights for an attacker to leverage, reducing the risk of compromise. However, administrators are encouraged to update their systems as soon as possible.

Additional Information

Microsoft December 2024 Security Updates