Full Report
Microsoft has released an out-of-band (OOB) update to fix a security vulnerabilities affecting Windows 11 Enterprise devices that receive hotpatch updates instead of the regular Patch Tuesday cumulative updates. [...]
Analysis Summary
# Vulnerability: Remote Code Execution in Windows Routing and Remote Access Service (RRAS)
## CVE Details
- **CVE ID:** CVE-2026-25172, CVE-2026-25173, CVE-2026-26111
- **CVSS Score:** Not explicitly listed in text (Severity: High/Critical based on RCE classification)
- **CWE:** Not specified (likely relates to improper input or memory handling in the RRAS snap-in)
## Affected Systems
- **Products:** Windows 11 Enterprise, Windows 11 Enterprise LTSC 2024
- **Versions:** 25H2 and 24H2; OS Builds 26200.7982 and 26100.7982
- **Configurations:** Systems specifically configured to receive **hotpatch updates** instead of regular cumulative updates and utilized for remote server management.
## Vulnerability Description
The flaw exists in the Windows Routing and Remote Access Service (RRAS) management tool (Snap-in). The vulnerability is triggered when the management tool connects to a malicious server. While technically a "Remote Code Execution" flaw, the attack vector requires a client-side action where a user is tricked into initiating a connection from their administrative tool to a server controlled by the attacker.
## Exploitation
- **Status:** Not exploited (No mention of active exploitation or public PoC in provided text)
- **Complexity:** Medium (Requires tricking an authenticated domain user)
- **Attack Vector:** Network (Authenticated)
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
(RCE allows for full system compromise under the context of the user running the RRAS tool.)
## Remediation
### Patches
Microsoft has released an Out-of-Band (OOB) hotpatch to ensure these devices are protected without requiring a reboot.
- **KB5084597:** For Windows 11 24H2, 25H2, and LTSC 2024.
- **Note:** This hotpatch is generally delivered automatically via **Windows Autopatch** for enrolled devices.
### Workarounds
- Ensure administrators do not use the RRAS Snap-in to connect to untrusted or unknown servers.
- Restrict the use of RRAS management tools to highly privileged, isolated administrative workstations (PAWs).
## Detection
- **Indicators of Compromise:** Unusual outbound network traffic from the RRAS management console (`mmc.exe` loading the RRAS snap-in) to unauthorized external or internal IP addresses.
- **Detection methods and tools:** Audit Windows Event Logs for RRAS management activity and monitor for unexpected process spawning from the Microsoft Management Console (MMC).
## References
- **Vendor Advisory:** hxxps[://]support[.]microsoft[.]com/en-us/topic/march-13-2026-hotpatch-kb5084597-os-builds-26200-7982-and-26100-7982-out-of-band-ef323fee-e70f-4f43-8bbc-1021c435bf5c
- **MSRC Guide:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-25172
- **Additional Context:** hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-re-releases-windows-11-oob-hotpatch-to-fix-rras-rce-flaw/