“`html
On March 13, 2026, Microsoft launched an out-of-band hotpatch update that addresses significant security flaws in Windows 11 versions 24H2 and 25H2.
Identified as KB5084597 and aimed at OS Builds 26200.7982 and 26100.7982, this update rectifies three currently pressing issues associated with the Windows Routing and Remote Access Service (RRAS) management tool, importantly, it accomplishes this task without necessitating a device restart.
Remediation for RAAS RCE Vulnerabilities
The primary aim of this hotpatch is a set of three vulnerabilities within the Windows RRAS component, a service that oversees remote connectivity and VPN capabilities in both corporate and consumer settings.
The three CVEs that are being addressed include:
- CVE-2026-25172 — A flaw in the RRAS management tool which lets a hostile remote server disrupt service operations or carry out arbitrary code on an associated device
- CVE-2026-25173 — A related RRAS vulnerability with comparable attack pathways, allowing remote code execution or conditions of denial-of-service when a victim connects to a server controlled by an attacker
- CVE-2026-26111 — An additional RRAS security concern that heightens the risk associated with the aforementioned flaws, potentially facilitating code execution under certain circumstances
The common exploit scenario for all three CVEs sees an attacker establish a rogue server, awaiting a user or administrator utilizing the RRAS management tool to connect.
Upon connection, the attacker can impair the tool’s operations or, more alarmingly, run harmful code directly on the victim’s device. This type of attack carries heightened risks in enterprise settings, where remote access management is commonplace.
In contrast to regular monthly security updates, hotpatches are crafted to implement crucial fixes to running processes in memory without causing disruptions to workflows.
Devices equipped for hotpatching receive and install the update quietly, with no restart required for it to become effective. This methodology significantly minimizes downtime, proving especially beneficial for enterprises managing extensive fleets of devices.
It should be emphasized that this hotpatch is exclusively accessible for hotpatch-enabled devices. Systems receiving standard Windows updates will not be provided with this particular package.
Moreover, Microsoft also includes the latest Servicing Stack Update (SSU) — KB5083532, version 26100.8035 — in conjunction with the hotpatch to keep the update infrastructure current.
Versions Affected
This update pertains to:
- Windows 11, version 25H2 (OS Build 26200.7982)
- Windows 11, version 24H2 (OS Build 26100.7982)
- Both x64 and Arm64 architectures are included
For devices configured for hotpatching, the update is automatically downloaded and installed through Windows Update, necessitating no manual action. Administrators can also acquire the package via the Microsoft Update Catalog or Server Update Services (WSUS) for managed environments.
Microsoft indicates there are no known issues associated with this update at the time of publication, and devices that have previously installed updates will only download the new modifications contained within this package.
Security teams should ensure that hotpatch capabilities are enabled on all eligible endpoints. For organizations that significantly depend on RRAS for remote access management, confirming the installation of updates should be a top priority, considering the potential for remote code execution posed by these vulnerabilities.
“`