Microsoft's RRAS Hotpatch Covers a Gap That Standard Patch Tuesday Missed

CybrPulse

CybrPulse

3 min read
Microsoft's RRAS Hotpatch Covers a Gap That Standard Patch Tuesday Missed

Microsoft pushed an out-of-band hotpatch on March 13, 2026 to fix three remote code execution vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool. The update — KB5084597 — wasn't a response to new discoveries. These CVEs were already patched in the March 10 Patch Tuesday cycle. The problem was that hotpatch-enrolled enterprise devices never got the fix.

That's the part worth paying attention to.

The Vulnerabilities

Three CVEs, all in the RRAS management snap-in:

  • CVE-2026-25172 — RCE via the RRAS management tool when connecting to a malicious server
  • CVE-2026-25173 — Related RRAS flaw, same attack vector, same impact
  • CVE-2026-26111 — Additional RRAS issue that compounds risk from the above two

The attack scenario is consistent across all three: an attacker stands up a rogue server, then waits for a domain-joined user or administrator running the RRAS snap-in to connect. When they do, the attacker can execute arbitrary code on the victim's machine. Microsoft's advisory notes the attack requires domain authentication — you need an authenticated attacker who can trick a user into making that connection.

In enterprise environments where RRAS is used for remote access and VPN management, that's not a particularly high bar. Admins connecting to remote management endpoints is routine behavior.

Why an OOB Patch Was Necessary

Here's the structural issue that made this necessary: Windows hotpatch updates work by patching running processes in memory without requiring a reboot. That's the whole value proposition — mission-critical systems can receive security fixes without downtime.

But when the March 10 Patch Tuesday cycle went out, devices enrolled in Windows Autopatch's hotpatch program didn't receive the RRAS fixes. Standard cumulative updates covered the CVEs. Hotpatch-enrolled devices didn't. Microsoft acknowledged a "coverage gap" and pushed KB5084597 to close it.

This creates an uncomfortable implication: if you're running enterprise Windows on devices configured for hotpatch delivery, you should not assume patch parity with the standard Patch Tuesday cycle. The update mechanisms can diverge, and when they do, there may be no automatic alert.

Affected Systems

KB5084597 covers:

  • Windows 11 version 25H2 (OS Build 26200.7982)
  • Windows 11 version 24H2 (OS Build 26100.7982)
  • Windows 11 Enterprise LTSC 2024

Both x64 and Arm64 architectures are included. The hotpatch is delivered automatically to devices enrolled in Windows Autopatch — no admin action required, no restart needed. Microsoft has also made it available through the Microsoft Update Catalog and WSUS for managed environments.

Devices on standard Windows Update are not offered this specific package. They received the fix through the standard March 10 updates.

What to Actually Do

First, verify KB5084597 landed. Don't assume automatic deployment means successful deployment. Pull your Autopatch compliance dashboard and confirm all eligible endpoints show the update applied. Pay particular attention to systems that manage RRAS — those are your highest-exposure machines.

Second, audit who has access to the RRAS snap-in. The attack requires luring an administrator into connecting to a rogue server. Restricting RRAS management access to a defined set of accounts shrinks the attack surface considerably.

Third, if you have devices running Windows 11 Enterprise that are *not* enrolled in hotpatch programs, check that March 10 cumulative updates were applied. Those systems should already be covered, but it's worth confirming.

Fourth — and this is the longer-term takeaway — if your environment uses Windows Autopatch hotpatch delivery, build a process to periodically compare hotpatch CVE coverage against the standard Patch Tuesday CVE list. This gap won't be the last time they diverge.

The Hotpatch Gap Problem

Microsoft has been pushing hotpatch as a feature for enterprise environments that can't afford reboot windows. The pitch is compelling: apply security fixes without disrupting operations. But this incident reveals that hotpatch coverage isn't always synchronized with standard update coverage.

If you're managing a fleet of Windows 11 Enterprise devices and you've enabled hotpatch for operational continuity, you may be accepting delayed or incomplete patching as a tradeoff — without knowing it. That's a risk posture decision that should be explicit, not accidental.

KB5084597 is a routine patch for a specific set of enterprise devices. But the coverage gap it exposes is a process problem worth addressing before the next one shows up.

Read more