Microsoft Releases Windows 11 OOB Hotpatch to Fix Three

Microsoft Pushes Emergency Windows 11 Hotpatch for Three RRAS RCE Flaws

Microsoft has released an out-of-band (OOB) update, KB5084597, to address three critical-to-high severity Remote Code Execution (RCE) vulnerabilities in the Routing and Remote Access Service (RRAS) component. The patch was issued on March 13, 2026 — three days after the standard March 10 Patch Tuesday — and is delivered as a hotpatch, meaning enrolled Windows 11 Enterprise devices receive the fix in memory without requiring a system reboot.

All three CVEs share the same root cause: integer overflow or wraparound conditions in the RRAS packet-processing and management-protocol engines.

The Three Vulnerabilities

CVE-2026-25172 — Unauthenticated RRAS Integer Overflow (CVSS 8.8)

An unauthenticated attacker can send specially crafted packets to a system with RRAS enabled. The malformed input triggers an integer overflow in the packet-reassembly logic, leading to heap buffer under-allocation and subsequent memory corruption. No credentials or user interaction are required — only network reachability to the RRAS listener.

CVE-2026-25173 — Critical Domain User RCE via RRAS Snap-in (CVSS 9.8)

The most severe of the three, CVE-2026-25173 targets the RRAS MMC Snap-in used by administrators to manage remote RRAS servers. When an administrator connects the Snap-in to an attacker-controlled server (via phishing, MitM, or network-level manipulation), the malicious server's crafted response triggers an integer overflow on the administrator's client machine — resulting in RCE on the administrator's workstation, not the server.

This malicious-server attack pattern means domain-joined Windows 11 Enterprise machines running the RRAS management tools are at risk even if RRAS itself is not enabled on those clients.

CVE-2026-26111 — Integer Overflow RCE with Network Access (CVSS 8.8)

A third integer overflow in the RRAS engine is exploitable by an authorized attacker with network access. The exploitation path follows the same heap-corruption mechanism as CVE-2026-25172, but requires the attacker to be authenticated on the network segment.

What Is RRAS?

Routing and Remote Access Service (RRAS) is a Windows Server role that provides:

• VPN gateway functionality — PPTP, L2TP, SSTP, IKEv2 inbound VPN
• Software router — IP routing in LAN/WAN environments
• NAT — public/private IP sharing
• Site-to-site VPN — geographically separated network linking
• DHCP and DNS proxy — basic name/address resolution for connected clients

The RRAS Snap-in (MMC management console) also ships on domain-joined Windows client machines — and it is this client-side management component that is the primary attack surface for CVE-2026-25173.

Why the OOB Hotpatch?

Microsoft reserved the standard Patch Tuesday delivery for Windows Server systems (fixes delivered via KB5053651/KB5053636). Exploitation attempts targeting RRAS were detected against Windows Server infrastructure beginning late January 2026, prompting accelerated delivery for Windows 11 Enterprise endpoints.

The hotpatch delivery mechanism patches running processes in memory without requiring a restart, making it suitable for environments with strict uptime requirements. The fix persists across reboots and is cumulative with the March 10, 2026 baseline.

Affected Versions

The hotpatch is automatically delivered to devices enrolled in Windows Autopatch with hotpatch updates enabled — no manual action and no restart required.

Remediation

Immediate Actions

1. Apply KB5084597 — automatically pushed to Autopatch-enrolled devices. Manually install via Windows Update for other Windows 11 Enterprise systems.
2. Patch Windows Server via the standard March 2026 cumulative update (KB5053651 / KB5053636 depending on OS version).
3. Verify RRAS exposure — identify which servers have RRAS enabled and ensure they are not directly internet-facing.
4. Audit RRAS Snap-in usage — determine which administrator workstations have the RRAS MMC Snap-in installed, and restrict access to management networks only.

If Immediate Patching Is Delayed

# Disable RRAS if it is not actively in use
Stop-Service RemoteAccess -Force
Set-Service RemoteAccess -StartupType Disabled
 
# Verify RRAS is stopped
Get-Service RemoteAccess | Select-Object Name, Status, StartType

# Block RRAS management port from non-management networks (adjust subnet as needed)
New-NetFirewallRule -DisplayName "Temp: Block RRAS Mgmt External" `
  -Direction Inbound `
  -LocalPort 1723,1701,443 `
  -Protocol TCP `
  -Action Block

Detection Indicators

Monitor for the following post-exploitation signals:

Broader Context

These three vulnerabilities continue a trend of adversaries targeting VPN and remote access infrastructure as high-value initial access vectors. RRAS servers, deployed as enterprise VPN gateways and edge routers, represent a single point of failure: compromise grants an attacker a foothold inside the network perimeter at the network layer, ahead of application-level controls.

The unauthenticated path in CVE-2026-25172 is of particular concern for organizations that expose RRAS endpoints to the internet — a common configuration for site-to-site VPN termination.

Sources

• BleepingComputer — Microsoft releases Windows 11 OOB hotpatch to fix RRAS RCE flaw
• Neowin — KB5084597: Microsoft outs Windows 11 25H2, 24H2 emergency update for critical network flaw
• Microsoft Support — March 13, 2026 Hotpatch KB5084597 Out-of-Band
• MSRC — CVE-2026-25173

Related Reading

• Veeam Patches Five Critical RCE Vulnerabilities Exposing
• Microsoft January 2026 Patch Tuesday: 114 Flaws Fixed, One
• Microsoft Patch Tuesday February 2026: 6 Actively Exploited