Microsoft has released an out-of-band hotpatch update, KB5084597, To repair Three remote code execution vulnerabilities In the Windows Routing and Remote Access Service (RRAS) management tool. update target windows 11 enterprise devices Enrolled in the HotPatch program, which did not receive fixes through the standard March 2026 Patch Tuesday cumulative update.
The three vulnerabilities are tracked as CVE-2026-25172, CVE-2026-25173And CVE-2026-26111. All three were addressed in the March 10 Patch Tuesday release for standard Windows 11 devices.
How attackers can exploit these RRAS vulnerabilities
According to Microsoft’s advisory, an attacker authenticated on a domain could exploit these vulnerabilities by tricking a user associated with a domain into sending a request to a malicious server. RRAS snap-in. Successful exploitation allows remote code execution on the affected device.
Microsoft says this issue only applies to enterprise client devices running hotpatch updates and used for remote server management.
Why was a separate hotpatch needed?
Standard cumulative updates require a device reboot to apply the fixes. Hotpatch updates work differently: They apply vulnerability fixes through in-memory patching of running processes, allowing the fix to take effect immediately without a restart. Patched files are also written to disk so that fixes persist after the next scheduled reboot.
This approach is designed for mission-critical devices where unplanned reboots are not practical. Microsoft notes that it previously released hotfixes for these same vulnerabilities but re-released them. KB5084597 To ensure coverage across all affected scenarios.
Affected Windows 11 versions and deployments
The update applies to Windows 11 editions 24h2 And 25H2As well as Windows 11 Enterprise LTSC 2024. KB5084597 is cumulative and includes all fixes from the March 2026 security update.
The hotpatch will be offered only for devices enrolled in the Hotpatch Update program and will be managed through Windows Autopatch. On enrolled devices, installation is automatic and does not require a restart. Devices not enrolled in the program received the fix through the standard March 10 Patch Tuesday update.
