Microsoft has introduced an out-of-band hotpatch update, KB5084597, aimed at addressing three critical remote code execution vulnerabilities found within the Windows Routing and Remote Access Service (RRAS) management tool. This update specifically targets Windows 11 Enterprise devices that are part of the hotpatch program and did not receive the necessary fixes during the standard March 2026 Patch Tuesday cumulative update. The vulnerabilities in question are identified as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, all of which were previously resolved in the March 10 Patch Tuesday release for standard Windows 11 devices.
How Attackers Can Exploit These RRAS Vulnerabilities
As detailed in Microsoft’s advisory, an authenticated attacker within the domain could potentially exploit these vulnerabilities by deceiving a domain-joined user into sending a request to a malicious server via the RRAS snap-in. If successful, this exploitation could lead to remote code execution on the compromised device. It is important to note that this issue is confined to Enterprise client devices that utilize hotpatch updates for remote server management.
Why a Separate Hotpatch Was Needed
Unlike standard cumulative updates, which necessitate a device reboot to implement fixes, hotpatch updates operate on a different principle. They apply vulnerability fixes through in-memory patching of active processes, enabling immediate effect without requiring a restart. Furthermore, the patched files are stored on disk, ensuring that the fixes remain in place after the next scheduled reboot. This methodology is particularly advantageous for mission-critical devices where unexpected reboots are impractical. Microsoft has previously issued hotfixes for these vulnerabilities but has re-released KB5084597 to guarantee comprehensive coverage across all affected scenarios.
Affected Windows 11 Versions and Deployment
The update is applicable to Windows 11 versions 24H2 and 25H2, as well as Windows 11 Enterprise LTSC 2024. KB5084597 is cumulative, encompassing all fixes from the March 2026 security update. The hotpatch will be available exclusively to devices enrolled in the hotpatch update program and managed through Windows Autopatch. For these enrolled devices, installation occurs automatically and does not necessitate a restart. In contrast, devices not enrolled in the program received the fix through the standard March 10 Patch Tuesday update.
