Are there any known vulnerabilities in PPTP VPNs when configured properly?

Yes. The protocol itself is no longer secure, as cracking the initial MS-CHAPv2 authentication can be reduced to the difficulty of cracking a single DES 56-bit key, which with current computers can be brute-forced in a very short time (making a strong password largely irrelevant to the security of PPTP as the entire 56-bit keyspace can be searched within practical time constraints).

The attacker can do a MITM to capture the handshake (and any PPTP traffic after that), do an offline crack of the handshake and derive the RC4 key. Then, the attacker will be able to decrypt and analyse the traffic carried in the PPTP VPN. PPTP does not provide forward secrecy, so just cracking one PPTP session is sufficient to crack all previous PPTP sessions using the same credentials.

Additionally, PPTP provides weak protection to the integrity of the data being tunneled. The RC4 cipher, while providing encryption, does not verify the integrity of the data as it is not an Authenticated Encryption with Associated Data (AEAD) cipher. PPTP also doesn't do additional integrity checks on its traffic (such as HMAC), and is hence vulnerable to bit-flipping attacks, ie. the attacker can modify PPTP packets with little possibility of detection. Various discovered attacks on the RC4 cipher (such as the Royal Holloway attack) make RC4 a bad choice for securing large amounts of transmitted data, and VPNs are a prime candidate for such attacks as they by nature usually transmit sensitive and large amounts of data.

If you want to, you can actually try cracking a PPTP session yourself. For a Wi-Fi user, it involves ARP poisoning your target such that the target sends the MSCHAPv2 handshake through you (which you can capture with Wireshark or any other packet capture tool). You can then crack the handshake with tools like Chap2Asleap, or if you have a few hundred dollars to spare submit the captured handshake to online cracking services. The recovered username, hash, password and encryption keys can then be used to impersonate logins to the VPN as that user, or to retroactively decrypt the target's traffic. Obviously, please do not do this without proper authorisation and outside a controlled environment.

In short, please avoid using PPTP where possible.

For more information, see http://www.computerworld.com/s/article/9229757/Tools_released_at_Defcon_can_crack_widely_used_PPTP_encryption_in_under_a_day and How can I tell if a PPTP tunnel is secure?.

Issues discovered with RC4 (resulting in real world security issues in protocols like TLS) can be found in http://www.isg.rhul.ac.uk/tls/RC4mustdie.html and https://www.rc4nomore.com/

For the cracking portion, refer to https://www.rastating.com/cracking-pptp-ms-chapv2-with-chapcrack-cloudcracker/ and https://samsclass.info/124/proj14/p10-pptp.htm.