Microsoft released an out-of-band hotpatch update on March 13, 2026, addressing serious security vulnerabilities in Windows 11 versions 24H2 and 25H2.
Tracked as KB5084597 and targeting OS Builds 26200.7982 and 26100.7982, this update patches three actively concerning flaws in the Windows Routing and Remote Access Service (RRAS) management tool, and notably, it does so without requiring a device restart.
Fix for RAAS RCE Vulnerabilities
The core focus of this hotpatch is a trio of vulnerabilities in the Windows RRAS component, a service that manages remote connectivity and VPN functionality in enterprise and consumer environments.
The three CVEs addressed are:
- CVE-2026-25172 — A security flaw in the RRAS management tool that allows a malicious remote server to disrupt service operations or execute arbitrary code on a connected device
- CVE-2026-25173 — A related RRAS vulnerability with similar attack vectors, enabling remote code execution or denial-of-service conditions when a victim connects to an attacker-controlled server
- CVE-2026-26111 — An additional RRAS security issue that compounds the risk of the above flaws, potentially allowing code execution under the right conditions
The common attack scenario across all three CVEs involves an attacker setting up a rogue server and waiting for a user or administrator running the RRAS management tool to initiate a connection.
Once connected, the attacker can disrupt the tool’s functionality or, more critically, execute malicious code directly on the victim’s machine. This type of attack is particularly dangerous in enterprise environments where remote access management is routine.
Unlike standard monthly security updates, hotpatches are designed to apply critical fixes to running processes in memory without interrupting workflows.
Devices enabled for hotpatching receive and install the update silently, with no restart required for it to take effect. This approach significantly reduces downtime, especially valuable for enterprise deployments managing large fleets of machines.
It is important to note that this hotpatch is only available for hotpatch-enabled devices. Devices receiving standard Windows updates are not offered this specific package.
Microsoft also bundles the latest Servicing Stack Update (SSU) — KB5083532, version 26100.8035 — alongside the hotpatch to ensure the update infrastructure itself remains current.
Affected Versions
This update applies to:
- Windows 11, version 25H2 (OS Build 26200.7982)
- Windows 11, version 24H2 (OS Build 26100.7982)
- Both x64 and Arm64 architectures are covered
For hotpatch-enabled devices, the update is downloaded and installed automatically through Windows Update, with no manual intervention required. Administrators can also access the package through the Microsoft Update Catalog or Server Update Services (WSUS) for managed environments.
Microsoft reports no known issues with this update at the time of publication, and devices that have already applied previous updates will only download the new changes included in this package.
Security teams should verify that hotpatch functionality is enabled across eligible endpoints. For organizations that rely heavily on RRAS for remote access management, confirming the installation of updates should be a priority, given the potential for remote code execution these vulnerabilities pose.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
