Microsoft has issued an out‑of‑band hotpatch update addressing multiple remote code execution (RCE) vulnerabilities impacting Windows 11 versions 24H2 and 25H2. The update, released on March 13, 2026, is tracked as KB5084597 and applies specifically to OS Builds 26200.7982 and 26100.7982. Crucially, this hotpatch installs without requiring a system reboot, reducing operational disruption for enterprises.
Fix for Critical RRAS RCE Vulnerabilities
The update targets three high‑risk vulnerabilities within the Windows Routing and Remote Access Service (RRAS)—a core component used for VPN connections and remote network management. The patched CVEs include:
- CVE‑2026‑25172 — A flaw in the RRAS management tool enabling an attacker controlling a rogue server to disrupt service functionality or execute arbitrary code on a victim system.
- CVE‑2026‑25173 — A related RRAS weakness allowing RCE or denial‑of‑service when a user connects to an attacker‑controlled RRAS server.
- CVE‑2026‑26111 — Another RRAS issue compounding the impact of the above vulnerabilities, potentially enabling remote code execution in specific conditions.
How the Attack Works
All three vulnerabilities rely on a similar scenario:
An attacker sets up a malicious RRAS server, waits for an administrator or user running the RRAS management tool to connect, and then triggers service disruption or executes code directly on the target device.
Because RRAS is commonly used in enterprise remote‑access workflows, this attack vector poses significant risk for organizations that rely on VPN or remote management operations.
Hotpatching: No Reboot Required
While traditional Patch Tuesday updates typically require reboots, this release is a hotpatch, meaning:
- The fix is injected into running processes in memory
- No restart is required for the patch to apply
- Updates install silently for devices configured for hotpatching
This minimizes downtime, making the update particularly valuable for large‑scale or uptime‑critical environments.
Microsoft also bundled the latest Servicing Stack Update (SSU) — KB5083532, version 26100.8035 — ensuring the reliability of future update installations.
Affected Versions
The hotpatch applies to:
- Windows 11, version 25H2 (OS Build 26200.7982)
- Windows 11, version 24H2 (OS Build 26100.7982)
- Supported on both x64 and Arm64 architectures
Devices with hotpatching enabled will receive the update automatically via Windows Update.
Administrators in managed environments can pull the package from the Microsoft Update Catalog or WSUS.
Microsoft reports no known issues with this out‑of‑band update at the time of publication, and systems that have applied earlier updates will only download the incremental components.
Security Recommendations for Organizations
Given the nature of the vulnerabilities—particularly the ability to execute malicious code during routine remote‑access operations—security teams should prioritize:
1. Verifying Hotpatch Enablement
Ensure eligible Windows 11 endpoints have hotpatching enabled so the update is applied automatically.
2. Auditing RRAS Usage
Organizations heavily dependent on RRAS for VPN access should confirm patch deployment immediately.
3. Monitoring for Rogue Servers
Implement strict controls to detect unauthorized RRAS servers within corporate environments.
4. Reviewing Administrative Tools
Because the attack exploits trusted management workflows, privilege usage and administrative tool access should be closely monitored.
Failure to deploy this update leaves organizations vulnerable to RCE attacks triggered by simple service connections, making this one of the more critical Windows 11 security fixes of early 2026.
