Microsoft Issues Emergency Windows 11 Hotpatch to Close Critical Remote Code Execution Vulnerability

Microsoft Issues Emergency Windows 11 Hotpatch to Close Critical Remote Code Execution Vulnerability

What Happened

Microsoft has released an out-of-band (OOB) hotpatch update, KB5084597, to address a critical security vulnerability in the Windows Routing and Remote Access Service (RRAS) management tool. The flaw could allow remote code execution when an enterprise device connects to a malicious server, potentially giving attackers full control over affected systems without any user interaction beyond the initial connection.

The update targets Windows 11 versions 25H2 and 24H2, as well as Windows 11 Enterprise LTSC 2024 systems that are enrolled in Microsoft's hotpatch update program. Three specific vulnerabilities are addressed: CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. According to Microsoft's advisory, an attacker authenticated on a domain could exploit these flaws by tricking a domain-joined user into sending a request to a malicious server via the RRAS Snap-in.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

While these vulnerabilities were originally patched as part of the March 2026 Patch Tuesday cycle on March 10, the out-of-band release specifically targets enterprise devices that rely on hotpatch updates rather than traditional cumulative updates. Microsoft noted this re-release was necessary to "ensure comprehensive coverage across all affected scenarios."

Background and Context

The Routing and Remote Access Service has been a core component of Windows Server and enterprise Windows deployments for decades, enabling organisations to configure software-based routers, VPN gateways, and network address translation services. RRAS is particularly prevalent in enterprise environments where IT administrators manage complex network routing configurations across distributed infrastructure.

Microsoft's hotpatch technology represents a significant evolution in how enterprise systems receive security updates. Traditional cumulative updates require a full system reboot — a process that can disrupt mission-critical applications and services. Hotpatching, by contrast, applies vulnerability fixes through in-memory patching of running processes, allowing devices to remain operational while receiving critical security protections. The on-disk files are simultaneously updated so that fixes persist through the next reboot cycle.

This approach is especially valuable for organisations running always-on infrastructure such as domain controllers, database servers, and production workloads where even brief downtime carries measurable business costs. The hotpatch program is managed through Windows Autopatch, Microsoft's cloud-based update management service, and is available exclusively to Windows 11 Enterprise customers — underscoring the enterprise-focused nature of both the vulnerability and its remediation.

Why This Matters

Remote code execution vulnerabilities in networking infrastructure components represent some of the most dangerous attack vectors in modern enterprise environments. RRAS sits at the intersection of network management and authentication — two of the most sensitive operational layers in any Windows domain. An attacker who successfully exploits these flaws could potentially pivot from a single compromised connection to lateral movement across an entire corporate network.

The fact that Microsoft chose to release an out-of-band update — rather than waiting for the next scheduled Patch Tuesday — signals the severity with which the company views these vulnerabilities. Out-of-band releases are reserved for situations where the risk of exploitation is deemed too high to wait for the normal monthly patching cadence. For IT administrators managing fleets of genuine Windows 11 key deployments, this is a clear signal to prioritise remediation.

The timing is also notable. Coming just days after the March Patch Tuesday release — which itself addressed 79 flaws including two zero-days — this OOB update highlights the growing complexity of the Windows security landscape and the challenge facing enterprise IT teams in maintaining comprehensive patch coverage across diverse update channels.

Industry Impact

The release underscores a broader shift in how Microsoft approaches enterprise security patching. The hotpatch delivery mechanism, while still limited to Enterprise SKUs managed through Autopatch, represents the company's acknowledgment that traditional reboot-required patching is increasingly incompatible with modern always-on business operations. As more organisations adopt zero-downtime deployment models, the demand for in-memory security patching will only intensify.

For managed service providers (MSPs) and enterprise IT departments, this update adds another dimension to their patch management workflows. Organisations must now track not only monthly Patch Tuesday releases but also hotpatch-specific updates that may arrive on separate schedules. This complexity creates opportunities for gaps in coverage — precisely the kind of gaps that sophisticated threat actors are trained to exploit.

The cybersecurity industry has seen a marked increase in attacks targeting network infrastructure components throughout 2025 and into 2026. VPN appliances, routing services, and remote access tools have become favoured targets for both nation-state actors and ransomware groups. Microsoft's rapid response to these RRAS vulnerabilities reflects a broader industry recognition that network infrastructure security can no longer be treated as an afterthought.

Businesses that rely on enterprise productivity software and Windows-based infrastructure should view this update as a reminder of the importance of maintaining current licensing and update eligibility across their entire fleet.

Expert Perspective

The decision to issue an out-of-band hotpatch rather than simply recommending that affected organisations apply the existing Patch Tuesday cumulative update reveals an important nuance in Microsoft's security strategy. Enterprise environments running hotpatch-enabled configurations operate under fundamentally different update lifecycles than standard deployments. These environments may not receive cumulative updates on the same schedule, creating a window of exposure that this OOB release specifically addresses.

From a threat modelling perspective, the attack vector described — tricking a domain-joined user into connecting to a malicious server via RRAS — suggests a social engineering component that could be combined with phishing campaigns targeting IT administrators. Domain-authenticated users with RRAS management responsibilities are high-value targets, and organisations should consider implementing additional access controls and monitoring around RRAS administrative functions.

The three CVEs addressed in this update all share the same exploitation mechanism, suggesting a systemic weakness in RRAS's server connection validation rather than isolated bugs. This pattern is worth watching in future Patch Tuesday releases.

What This Means for Businesses

Organisations running Windows 11 Enterprise with hotpatch updates enabled should verify that KB5084597 has been applied across all managed devices. For those not enrolled in the hotpatch program, the standard March 2026 cumulative update already includes these fixes — but a reboot is required to activate them.

IT teams should also audit their RRAS configurations to identify which systems are actively using the service and assess whether remote management snap-in access can be restricted to trusted network segments. Implementing network segmentation around RRAS management interfaces is a practical mitigation step that reduces the attack surface regardless of patch status.

For businesses considering their Windows licensing strategy, ensuring access to enterprise-grade update mechanisms like hotpatching is increasingly important. Securing an affordable Microsoft Office licence alongside proper Windows Enterprise licensing ensures both productivity and security infrastructure remain current.

Key Takeaways

• Microsoft released out-of-band hotpatch KB5084597 fixing three critical RCE vulnerabilities in Windows RRAS
• The update targets Windows 11 Enterprise devices enrolled in the hotpatch program via Windows Autopatch
• Vulnerabilities CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111 allow remote code execution through malicious server connections
• Standard Patch Tuesday cumulative updates already include these fixes but require a reboot
• Hotpatch updates apply in-memory patches without requiring device restarts
• Enterprise IT teams should audit RRAS configurations and verify patch deployment across all managed endpoints

Looking Ahead

Microsoft's investment in hotpatch technology signals a future where reboot-free security patching becomes the norm rather than the exception for enterprise Windows deployments. As the company expands Autopatch capabilities and hotpatch eligibility to broader Windows SKUs, the distinction between standard and enterprise patch delivery will become a key differentiator in organisational security posture. IT leaders should begin planning for hotpatch adoption as part of their long-term Windows lifecycle management strategy, particularly as threat actors continue to target the gaps between patch release and patch application.