Microsoft Issues Emergency Hotpatch for Critical Windows 11 RRAS Vulnerabilities

Microsoft has released an out-of-band security update to address critical vulnerabilities in Windows 11’s Routing and Remote Access Service (RRAS). The update, delivered as a hotpatch on March 13, 2026, aims to prevent attackers from executing malicious code through remote access management tools. Notably, the hotpatch is designed to be applied without requiring a system restart, minimizing disruption for users.

Understanding the RRAS Vulnerabilities

The vulnerabilities, identified as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, affect Windows 11 versions 24H2 and 25H2, as well as LTSC 2024. RRAS is a crucial component in many enterprise networks, enabling administrators to manage remote access, including VPN connectivity, routing, and remote administration. A successful exploit could allow an attacker to disrupt the service or gain control of affected systems.

CVE-2026-25172 and CVE-2026-25173

These vulnerabilities involve remote code execution within the RRAS management tool. If a user or administrator connects to a malicious server through the RRAS interface, a specially crafted response from the attacker-controlled server could allow the attacker to disrupt service operations or execute arbitrary code.

CVE-2026-26111

CVE-2026-26111 represents an additional vulnerability within the RRAS management tool, compounding the risk of remote code execution during interactions with malicious servers. The exploitation scenario is similar to the other two vulnerabilities, providing attackers with another potential pathway to compromise the system.

Attack Scenario and Potential Impact

The vulnerabilities share a common attack vector: an attacker configuring a malicious server designed to interact with the RRAS interface. If a system administrator or user connects to this server through the management tool, the attacker could exploit the vulnerability during the connection process. As RRAS operates with elevated privileges, a successful exploit could lead to malware deployment, network configuration alterations, or lateral movement within the network. TechRepublic reports that Microsoft has not currently observed any active exploitation of these vulnerabilities.

Mitigation Strategies

Organizations should prioritize the following steps to reduce their risk:

• Apply the Latest Patch: Install the KB5084597 hotpatch on all affected Windows 11 systems. Testing in a staging environment before production deployment is recommended.
• Restrict Access: Limit RRAS management access to authorized administrators only, utilizing role-based access control (RBAC) or just-in-time (JIT) access.
• Disable Unnecessary RRAS Roles: Disable the RRAS role or management tools on systems where they are not required to reduce the attack surface.
• Control Remote Connections: Restrict connections to trusted remote servers and implement outbound network filtering or firewall rules.
• Network Segmentation: Segment remote access infrastructure and administrative workstations onto dedicated management networks.
• Enhanced Monitoring: Deploy Endpoint Detection and Response (EDR) solutions and centralized logging to monitor for suspicious RRAS activity.
• Incident Response Testing: Regularly test incident response plans and use attack simulation tools.

Hotpatch Availability and Considerations

This update is delivered as a hotpatch, meaning it’s automatically applied to devices enabled for hotpatch updates without requiring a restart. Microsoft Support clarifies that devices receiving standard Windows updates will not receive the hotpatch automatically. WinBuzzer highlights that the patch primarily impacts managed environments relying on Windows for remote access.

Organizations should remain vigilant and prioritize the implementation of these security measures to protect against potential exploitation of these critical RRAS vulnerabilities.