Microsoft has recently issued an out-of-band hotpatch update, KB5084597, to address critical security vulnerabilities in Windows 11 versions 24H2 and 25H2. This update, released on March 13, 2026, targets OS Builds 26200.7982 and 26100.7982, specifically patching three significant flaws within the Windows Routing and Remote Access Service (RRAS) management tool. Notably, this hotpatch applies the fixes without necessitating a system restart, ensuring minimal disruption for users.
Understanding the RRAS Vulnerabilities
The RRAS component in Windows 11 is integral for managing remote connectivity and VPN functionalities, particularly in enterprise settings. The vulnerabilities addressed in this update are:
– CVE-2026-25172: This flaw allows a malicious remote server to disrupt RRAS operations or execute arbitrary code on a connected device.
– CVE-2026-25173: Similar to the previous vulnerability, this issue enables remote code execution or denial-of-service conditions when a victim connects to an attacker-controlled server.
– CVE-2026-26111: An additional security issue within RRAS that, under certain conditions, could permit code execution.
In each case, an attacker could set up a rogue server and wait for a user or administrator utilizing the RRAS management tool to connect. Upon connection, the attacker could disrupt the tool’s functionality or execute malicious code on the victim’s machine. This scenario is particularly concerning in enterprise environments where remote access management is routine.
The Advantage of Hotpatching
Unlike standard monthly security updates, hotpatches are designed to apply critical fixes to running processes in memory without interrupting workflows. Devices enabled for hotpatching receive and install the update silently, with no restart required for it to take effect. This approach significantly reduces downtime, especially valuable for enterprise deployments managing large fleets of machines.
It’s important to note that this hotpatch is only available for hotpatch-enabled devices. Devices receiving standard Windows updates are not offered this specific package. Microsoft also bundles the latest Servicing Stack Update (SSU) — KB5083532, version 26100.8035 — alongside the hotpatch to ensure the update infrastructure itself remains current.
Applicability and Deployment
This update applies to:
– Windows 11, version 25H2 (OS Build 26200.7982)
– Windows 11, version 24H2 (OS Build 26100.7982)
Both x64 and Arm64 architectures are covered. For hotpatch-enabled devices, the update is downloaded and installed automatically through Windows Update, with no manual intervention required. Administrators can also access the package through the Microsoft Update Catalog or Server Update Services (WSUS) for managed environments.
Microsoft reports no known issues with this update at the time of publication, and devices that have already applied previous updates will only download the new changes included in this package.
Recommendations for Users and Administrators
Security teams should verify that hotpatch functionality is enabled across eligible endpoints. For organizations that rely heavily on RRAS for remote access management, confirming the installation of updates should be a priority, given the potential for remote code execution these vulnerabilities pose.
Conclusion
Microsoft’s proactive release of this out-of-band hotpatch underscores the company’s commitment to maintaining the security and stability of its operating systems. By addressing these critical RRAS vulnerabilities promptly and efficiently, Microsoft helps ensure that Windows 11 users can continue to rely on their systems for secure and uninterrupted remote access services.
