Microsoft has released an out-of-band hotpatch update, KB5084597, to fix three remote code execution vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool. The update targets Windows 11 Enterprise devices enrolled in the hotpatch program that did not receive the fixes through the standard March 2026 Patch Tuesday cumulative update.
The three vulnerabilities are tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. All three were addressed in the March 10 Patch Tuesday release for standard Windows 11 devices.
How Attackers Can Exploit These RRAS Vulnerabilities
According to Microsoft’s advisory, an attacker authenticated on the domain could exploit these flaws by tricking a domain-joined user into sending a request to a malicious server through the RRAS snap-in. Successful exploitation allows remote code execution on the affected device.
Microsoft states the issue applies only to Enterprise client devices running hotpatch updates and used for remote server management.
Why a Separate Hotpatch Was Needed
Standard cumulative updates require a device reboot to apply fixes. Hotpatch updates work differently: they apply vulnerability fixes through in-memory patching of running processes, allowing the fix to take effect immediately without a restart. The patched files are also written to disk so the fixes persist after the next scheduled reboot.
This approach is designed for mission-critical devices where unplanned reboots are not practical. Microsoft notes it had previously released hotfixes for these same vulnerabilities but re-released KB5084597 to ensure coverage across all affected scenarios.
Affected Windows 11 Versions and Deployment
The update applies to Windows 11 versions 24H2 and 25H2, as well as Windows 11 Enterprise LTSC 2024. KB5084597 is cumulative and includes all fixes from the March 2026 security update.
The hotpatch will only be offered to devices enrolled in the hotpatch update program and managed through Windows Autopatch. On enrolled devices, installation is automatic and does not require a restart. Devices not enrolled in the program received the fix through the standard March 10 Patch Tuesday update.
