Hotpatch Alert: Microsoft Fixes Critical RRAS Remote-Execution Flaws in Windows 11

Microsoft issued an out-of-band hotpatch on March 13, 2026, to address a set of serious vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool that affect Windows 11. The update, tracked as KB5084597 and aimed at OS builds 26200.7982 (25H2) and 26100.7982 (24H2), patches three CVEs that can allow a remote attacker to disrupt RRAS or execute code on a connected device. The fix is delivered as a hotpatch—applying to processes in memory without requiring a restart—but only for hotpatch-enabled systems.

Why this matters

RRAS is a long-standing Windows component used to manage VPNs and remote connectivity for both enterprise and some advanced consumer setups. The vulnerabilities are particularly concerning because the attack vector requires little more than a connection to an attacker-controlled server: when a user or administrator running the RRAS management tool connects, malformed or malicious responses from that server can cause denial-of-service conditions or, worse, remote code execution on the client. In environments where administrators routinely manage remote access, this raises the stakes considerably.

The vulnerabilities (facts)

Tracked CVEs: CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111.
Impact: Remote code execution and/or denial-of-service when the RRAS management tool connects to a malicious remote server.
Affected builds: Windows 11 version 25H2 (OS Build 26200.7982) and version 24H2 (OS Build 26100.7982).
Architectures: Both x64 and Arm64 are covered.
Update identifier: KB5084597 (hotpatch). Microsoft bundled Servicing Stack Update KB5083532 (version 26100.8035) alongside the hotpatch to ensure update infrastructure readiness.
Availability: The hotpatch is available only to devices that have hotpatching enabled; devices on the standard update channel will not receive this package.

How the attack works (concise)

An attacker sets up a rogue server that pretends to offer legitimate RRAS-related responses. If an administrator or user running the RRAS management tool connects to that server—intentionally or accidentally—the malicious server can send crafted data that triggers the vulnerabilities. Depending on the flaw exploited and environment specifics, the result can range from disrupting the RRAS tool to executing arbitrary code on the connected machine.

Why hotpatching is used here

Hotpatches allow Microsoft to apply critical fixes to running components without restarting the machine, minimizing operational disruption in enterprise settings where uptime is paramount. For organizations with hotpatch-enabled endpoints, the patch is downloaded and applied silently through Windows Update, taking effect without a reboot. However, hotpatching is not universally available, so administrators must verify whether their systems are configured to receive these updates.

Who should act and how

Hotpatch-enabled devices: The update will be delivered automatically via Windows Update. Administrators can also obtain the hotpatch from the Microsoft Update Catalog or distribute it via WSUS for managed environments.
Non-hotpatch devices: These systems will not receive this hotpatch package. Administrators should follow Microsoft advisories for applicable guidance and monitor for any subsequent standard updates that include the fixes.
Security teams: Verify which endpoints are hotpatch-enabled, confirm installation on RRAS-dependent systems, and prioritize assets that perform remote access management or handle large numbers of remote clients.
General users: If you do not use RRAS or advanced remote access tools, the immediate operational risk remains lower, but staying current with updates is still best practice.

Operational recommendations

Confirm hotpatch capability: Check whether endpoints are configured to accept hotpatches and verify that Windows Update or your management tools show KB5084597 applied where appropriate.
Inventory RRAS usage: Identify systems and administrators that use RRAS management tools, and prioritize confirming their update status.
Use managed update channels: For enterprise environments, distribute the hotpatch through WSUS or your patch-management system to ensure consistent deployment and reporting.
Monitor vendor advisories: Microsoft reported no known issues with this hotpatch at time of release, but keep an eye on follow-up advisories in case compatibility or stability notes emerge.
Harden exposure: Where feasible, avoid connecting RRAS management tools to untrusted servers and enforce network controls to limit connections to known, vetted endpoints.

Conclusion

The March 13 hotpatch (KB5084597) addresses three critical RRAS vulnerabilities that can enable remote code execution or service disruption when an RRAS management tool connects to a malicious server. The use of a hotpatch minimizes downtime for hotpatch-enabled devices, but administrators must confirm applicability, deployment status, and continue monitoring for additional guidance. Prioritizing updates on systems that manage remote access is an immediate and practical step to reduce exposure.