Microsoft Windows 11 Hotpatch Fixes Critical RCE Vulnerability
▼ Summary
– Microsoft released an out-of-band hotpatch update (KB5084597) to fix security vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool.
– The vulnerabilities, tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, could allow remote code execution when connecting to a malicious server.
– This update specifically applies to Windows 11 Enterprise devices (versions 25H2, 24H2, and LTSC 2024) that receive hotpatch updates for mission-critical systems that cannot be easily rebooted.
– The hotpatch applies fixes in memory without a restart and updates files on disk, offering protection until the next reboot.
– The update is automatically installed only for devices enrolled in the hotpatch program and managed through Windows Autopatch.
Microsoft has issued an emergency security update for Windows 11 Enterprise systems, specifically targeting devices that rely on hotpatch technology to avoid disruptive reboots. This out-of-band release addresses a set of critical vulnerabilities that could allow an attacker to execute malicious code remotely. The fix is crucial for organizations managing servers where system stability is paramount and downtime must be minimized.
The update, labeled KB5084597, resolves security flaws within the Windows Routing and Remote Access Service (RRAS) management tool. According to Microsoft, these vulnerabilities, tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, could be exploited for remote code execution. The scenario involves an attacker who is already authenticated on the domain tricking a domain-joined user into sending a request to a malicious server via the RRAS Snap-in. This threat is particularly relevant for Enterprise client devices configured to receive hotpatch updates and used for remote server management.
This hotpatch is applicable to Windows 11 versions 25H2 and 24H2, as well as Windows 11 Enterprise LTSC 2024 systems. While these specific vulnerabilities were already addressed in the standard March 2026 Patch Tuesday updates, installing those traditional cumulative updates necessitates a system reboot. For many mission-critical environments, such reboots are not feasible without causing significant operational disruption.
The hotpatch update mechanism provides a solution for these sensitive systems. Instead of requiring an immediate restart, it applies security fixes by performing in-memory patching of running processes. This method delivers the protection immediately while also updating the files on disk, ensuring the fix persists after any future reboot. The KB5084597 update is cumulative, meaning it includes all the fixes and improvements from the March 2026 Windows security update released earlier.
Microsoft notes that this hotpatch will be offered exclusively to devices enrolled in the dedicated hotpatch update program and managed through Windows Autopatch. For these systems, the update will be installed automatically without requiring any restart, maintaining continuous service availability. The company re-released these fixes yesterday to ensure comprehensive coverage across all affected scenarios, having previously issued hotfixes for the same flaws. This proactive measure underscores the importance of securing remote management tools against sophisticated attack vectors.
(Source: Bleeping Computer)
