Microsoft Pushes Emergency Windows 11 Patch for Critical RRAS Flaw

Microsoft dropped an unscheduled hotpatch update on March 13, 2026, to plug three dangerous remote code execution holes in Windows 11. The fix, labeled KB5084597, targets the Routing and Remote Access Service (RRAS) management tool and arrives without requiring a single reboot. If you run enterprise machines with hotpatching enabled, here is everything you need to know.

What the KB5084597 Hotpatch Actually Fixes

Microsoft released the out-of-band hotpatch update KB5084597 to fix three remote code execution vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool.1

The three distinct CVE identifiers associated with this update are CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111.2 All three are catalogued as RRAS remote code execution vulnerabilities tied to integer overflow and heap buffer misuse.3

Here is a quick look at each flaw:

CVE-2026-26111 received a CVSS score of 8.8 out of 10.4 The vulnerability exists because the service fails to properly validate input sizes, leading to a miscalculation in memory allocation.5

All three flaws were already included in the March 10 Patch Tuesday release for standard Windows 11 devices. The KB5084597 hotpatch was released specifically for Enterprise client devices that use hotpatching rather than the regular Patch Tuesday cumulative update cycle.6

Microsoft Windows 11 KB5084597 hotpatch RRAS remote code execution fix

How Attackers Could Exploit These Flaws

The attack path is surprisingly straightforward.

“An attacker authenticated on the domain could exploit this vulnerability by tricking a domain-joined user into sending a request to a malicious server via the Routing and Remote Access Service (RRAS) Snap-in,” reads the description for all three flaws.7

In simple terms, a bad actor already inside the network tricks an admin into connecting to a rogue server through the RRAS management console. Successful exploitation allows an attacker to execute code remotely, leading to full system compromise. This could allow an attacker to disrupt the RRAS tool, intercept network traffic, or use the compromised server as a foothold to move laterally within the enterprise network.5

Because RRAS frequently runs with powerful privileges and directly handles network-facing packets, even seemingly isolated parser issues can lead to full compromise of the host.8

Enterprise security teams should treat this as high priority, especially if RRAS management workstations are reachable from semi-trusted networks.

Why Microsoft Chose a Hotpatch Instead of a Regular Update

While the vulnerabilities were already fixed on Patch Tuesday, installing cumulative updates requires devices to be rebooted. However, some devices are used for mission-critical applications and services that cannot be easily rebooted. To protect these types of devices, hotpatch updates apply new vulnerability fixes by performing in-memory patching of running processes to deliver fixes.7

Think of it this way. A hospital network running RRAS on always-on workstations cannot simply restart during a busy shift. Hotpatching solves that problem.

The patched files are also written to disk so the fixes persist after the next scheduled reboot.1 Microsoft notes it had previously released hotfixes for these same vulnerabilities but re-released KB5084597 to ensure coverage across all affected scenarios.1

The package advances affected systems to OS Builds 26200.7982 (25H2) and 26100.7982 (24H2) for the respective servicing families.3

Which Devices Get This Update and How to Verify

Not every Windows 11 machine will see this update. Here is who is affected:

• The update applies to Windows 11 versions 24H2 and 25H2, as well as Windows 11 Enterprise LTSC 2024.1
• The hotpatch will only be offered to devices enrolled in the hotpatch update program and managed through Windows Autopatch, where it will be installed automatically without requiring a restart.7
• Devices not enrolled in the program received the fix through the standard March 10 Patch Tuesday update.1

To check if your device received the patch:

Open Settings, then go to Windows Update, then View Update History. Hotpatch entries will show as a hotpatch or as a March 13, 2026 hotpatch entry with KB5084597 in the update history for eligible Windows 11 Enterprise builds.9

Organizations must have Windows 11 Enterprise edition with the latest cumulative update installed and be enrolled in either Windows Autopatch or managed through Microsoft Intune to receive this specific delivery.10

If your machines are not enrolled in the hotpatch program and you already installed the March 10 cumulative update, you are already covered. No extra action is needed.

The Bigger Picture: Hotpatching Becomes the New Normal

This emergency release is not an isolated event. It signals a bigger shift in how Microsoft plans to deliver security fixes going forward.

Today, there are over 10 million production devices enrolled in hotpatch updates, showing the level of adoption and trust companies have in this capability.11

Microsoft will turn on hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, beginning with the May 2026 Windows security update.12 Microsoft estimates that the time to reach 90% patch compliance will be halved.12

Key dates for IT admins:

• April 1, 2026: Tenant-level opt-out controls go live in Intune
• May 11, 2026: Hotpatch updates begin deploying under new default settings

Microsoft’s ring-based deployment strategy does not limit the blast radius when something goes wrong, and making hotpatching the default adds another variable that could produce unexpected consequences. Administrators who prize tight control over their environments won’t love this change, which makes the tenant-level and policy-level opt-outs genuinely welcome additions.13

For organizations still unsure about hotpatching, KB5084597 serves as a real-world test case. It landed silently, fixed critical flaws, and required zero downtime.

With RRAS remaining a repeated target for attackers and remote code execution bugs continuing to surface in network-facing Windows services, the pressure on enterprise IT teams is only growing. Whether you rely on hotpatching or traditional Patch Tuesday updates, the message from Microsoft is clear: patch now, not later. If your team manages RRAS workstations, verify KB5084597 today and share this with your fellow admins. Every hour an unpatched system stays online is an open door.