Microsoft ships OOB hotpatch for Windows 11 RRAS remote code execution risk

Photo by protect.computer (custom alert graphic) on protect.computer

What happened

Microsoft released KB5084597 as an out-of-band hotpatch update for eligible Windows 11 Enterprise hotpatch environments.

The update addresses RRAS management-tool attack paths tied to vulnerabilities tracked as:

• CVE-2026-25172
• CVE-2026-25173
• CVE-2026-26111

According to Microsoft and security reporting, exploitation would require an authenticated domain context and user interaction with a malicious server path, but the impact can include remote code execution.

Why this matters

Hotpatch-targeted systems are often used in sensitive or uptime-critical enterprise roles.

That means patch delays can create meaningful exposure windows if organizations assume regular Patch Tuesday coverage alone is enough for all managed rings.

What organizations should do now

1. Confirm which endpoints are in the Windows Autopatch hotpatch channel.
2. Verify KB5084597 deployment and successful install telemetry.
3. Restrict RRAS administrative tooling to trusted admin workstations and hardened jump hosts.
4. Monitor for unusual RRAS console activity and unexpected remote-management connections.
5. Keep fallback reboot-and-cumulative-update procedures documented for hotpatch exceptions.

Bottom line

This is a targeted but important enterprise patching event: if your fleet uses hotpatch channels, validate OOB coverage immediately rather than waiting for the next routine maintenance cycle.