Microsoft has released an out-of-band (OOB) hotpatch for Windows 11, addressing critical security vulnerabilities within the Routing and Remote Access Service (RRAS). The update, designated KB5084597, aims to mitigate potential remote code execution (RCE) risks affecting enterprise devices utilizing hotpatch updates. This emergency fix comes shortly after the March 2026 Patch Tuesday updates, but offers a reboot-free solution for systems where downtime is limited.
The vulnerabilities, identified as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, specifically target the RRAS management tool. According to Microsoft’s advisory, a successful exploit could allow an attacker to execute code on a vulnerable system when connecting to a malicious server. The issue is limited to specific scenarios involving Windows 11 Enterprise client devices running hotpatch updates and used for remote server management, narrowing the scope of immediate concern.
Understanding the RRAS Vulnerability
The RRAS service, while primarily a feature of Windows Server operating systems, is utilized in some Windows 11 environments for managing network connections and remote access. Microsoft documentation clarifies that full RRAS capabilities require a Windows Server OS, but basic routing and VPN functionalities can be configured on client versions. The identified vulnerabilities stem from flaws in how the RRAS snap-in handles requests, potentially allowing a malicious server to inject and execute code.
Microsoft explains that an attacker who is already authenticated on the domain could exploit this vulnerability by tricking a domain-joined user into sending a request to a malicious server via the RRAS snap-in. This highlights the importance of robust domain security practices and user awareness training. The hotpatch update is designed to prevent this type of attack without requiring a system reboot, a significant advantage for mission-critical systems.
Hotpatch vs. Traditional Updates
The release of an OOB hotpatch underscores Microsoft’s commitment to rapid security response. Traditional cumulative updates, delivered on Patch Tuesday (the second Tuesday of each month), require a system reboot to fully implement the fixes. But, some organizations operate systems that cannot tolerate downtime, even for brief periods. Hotpatches, like KB5084597, provide a way to address critical vulnerabilities without interrupting service. BleepingComputer reports that this hotpatch includes all fixes and improvements from the March 2026 Windows security update released on March 10.
The KB5084597 update applies to Windows 11 versions 25H2 and 24H2, as well as Windows 11 Enterprise LTSC 2024 systems. Guru3D notes that the hotpatch adds no-restart coverage for the three disclosed remote code execution flaws.
What to Do Now
Organizations utilizing Windows 11 Enterprise with hotpatch updates should prioritize the installation of KB5084597. While the vulnerabilities were initially addressed in the March 2026 Patch Tuesday updates, the hotpatch offers a convenient and less disruptive solution. Evrimagaci.org emphasizes the urgency of applying this patch, particularly for environments relying on RRAS for remote server management.
Beyond applying the patch, organizations should reinforce security best practices, including strong password policies, multi-factor authentication, and ongoing user awareness training. Regularly reviewing and updating network security configurations can further reduce the risk of exploitation.
As Microsoft continues to refine its security response mechanisms, the use of hotpatches demonstrates a proactive approach to protecting Windows 11 users. The company will likely continue to leverage this method for addressing critical vulnerabilities that require immediate attention. Stay informed about future security updates and proactively implement them to maintain a secure computing environment.
What are your thoughts on Microsoft’s hotpatching strategy? Share your insights and experiences in the comments below.
