Microsoft Deploys Urgent Out-of-Band Hotpatch for Critical Windows 11 RRAS Flaws

Microsoft has released an urgent out-of-band Windows 11 RRAS RCE patch to address critical vulnerabilities that allow attackers to execute malicious code remotely. Deployed on March 13, 2026, this emergency update targets IT administrators and enterprise networks relying on the Windows Routing and Remote Access Service. By applying this hotpatch, organizations can immediately secure their infrastructure against unauthorized network infiltration without experiencing operational downtime.

The security gaps, tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, reside within the RRAS management tool used for configuring routing and virtual private network (VPN) services. The primary attack vector requires a threat actor to trick a user into connecting to a maliciously crafted remote server. Once the connection is established, attackers can completely disrupt the RRAS tool and execute unauthorized code, potentially leading to severe data breaches or malware deployment.

To mitigate these immediate threats, Microsoft issued hotpatch KB5084597 outside of its standard monthly Patch Tuesday cycle. This specific update applies exclusively to systems running Windows 11 versions 25H2 and 24H2, specifically OS Builds 26200.7982 and 26100.7982. Because it utilizes modern hotpatching technology, the update installs seamlessly in the background without requiring a system reboot, preserving active network connections. Microsoft notes that this release is bundled with the latest Servicing Stack Update (SSU) to maintain update mechanism stability.

Administrators and users should take the following steps to ensure their systems are protected:

• Verify that Windows Update is active, allowing the hotpatch to download automatically on enabled devices.
• Confirm the system is running the targeted Windows 11 versions 25H2 or 24H2.
• Review network security logs for unusual outbound connections to unknown remote servers, which could indicate an exploitation attempt.
• Check the official Windows release health dashboard for emerging issues related to these CVEs.

Microsoft’s decision to deploy KB5084597 as a rebootless hotpatch highlights a critical shift in enterprise cybersecurity strategy. Historically, patching core networking components like RRAS forced IT administrators into a difficult choice between immediate security and maintaining network uptime. By delivering this fix seamlessly in the background for Windows 11 versions 25H2 and 24H2, Microsoft is effectively eliminating the operational friction that often delays critical security deployments. As threat actors increasingly target VPN and routing infrastructure, this frictionless patching model will likely become the new standard for mitigating zero-day and critical RCE vulnerabilities.

Do I need to restart my PC after installing KB5084597?
No, this update is delivered as a hotpatch for enabled devices, meaning it installs and takes effect in the background without requiring a system restart.

Which versions of Windows 11 are affected?
The vulnerabilities and the corresponding hotpatch apply to Windows 11 versions 25H2 and 24H2 (OS Builds 26200.7982 and 26100.7982).

What happens if my device is not hotpatch-enabled?
Devices configured for standard Windows updates do not require manual action for this specific hotpatch, as they will receive the necessary protections through their regular scheduled update channels.