Full Report
Microsoft has released an out-of-band (OOB) update to fix a security vulnerabilities affecting Windows 11 Enterprise devices that receive hotpatch updates instead of the regular Patch Tuesday cumulative updates. [...]
Analysis Summary
# Vulnerability: Windows RRAS Management Tool Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-25172, CVE-2026-25173, CVE-2026-26111
- **CVSS Score:** Not specified in the article (historically RRAS RCEs range from 7.8 to 8.8)
- **CWE:** Not specified (likely CWE-94: Improper Control of Generation of Code or CWE-119: Memory Corruption)
## Affected Systems
- **Products:** Windows 11 Enterprise devices receiving Hotpatch updates via Windows Autopatch.
- **Versions:**
- Windows 11 Version 25H2
- Windows 11 Version 24H2
- Windows 11 Enterprise LTSC 2024
- **Configurations:** Systems utilized for remote server management that use the Routing and Remote Access Service (RRAS) Snap-in.
## Vulnerability Description
The flaw exists within the Windows Routing and Remote Access Service (RRAS) management tool. It is a client-side remote code execution vulnerability that occurs when the RRAS Snap-in (Microsoft Management Console) is used to connect to a malicious server. If an attacker-controlled server sends a specially crafted response to the management tool, it can trigger memory corruption or improper handling of the data, leading to code execution in the context of the user running the snap-in.
## Exploitation
- **Status:** Fixed via Out-Of-Band (OOB) update; no reports of exploitation in the wild mentioned in the text.
- **Complexity:** Medium (Requires tricking a target user).
- **Attack Vector:** Network (Attacker must be authenticated on the domain).
## Impact
- **Confidentiality:** High (Full access to the management workstation).
- **Integrity:** High (Ability to execute arbitrary code).
- **Availability:** High (Potential for system crash or takeover).
## Remediation
### Patches
- **Hotpatch Update:** KB5084597 (OS Builds 26200.7982 and 26100.7982).
- **Cumulative Update:** March 2026 Patch Tuesday updates (requires reboot, whereas the Hotpatch does not).
### Workarounds
- Microsoft has not provided specific workarounds; however, standard security hygiene suggests avoiding the use of the RRAS Snap-in to connect to untrusted or unverified remote servers.
## Detection
- **Indicators of Compromise:** No specific file hashes or IPs provided; monitor for unusual child processes spawning from `mmc.exe` when RRAS snap-ins are active.
- **Detection methods and tools:** Windows Autopatch monitoring tools can verify if KB5084597 has been successfully applied to Enterprise client devices.
## References
- **Microsoft Support KB:** hxxps[://]support[.]microsoft[.]com/en-us/topic/march-13-2026-hotpatch-kb5084597-os-builds-26200-7982-and-26100-7982-out-of-band-ef323fee-e70f-4f43-8bbc-1021c435bf5c
- **MSRC Vulnerability Guide:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-25172
- **Hotpatch Management Documentation:** hxxps[://]learn[.]microsoft[.]com/en-us/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates