Full Report
Microsoft has released an emergency update to fix a Bluetooth device visibility issue on hotpatch-enabled Windows 11 Enterprise devices. [...]
Analysis Summary
# Vulnerability: Windows RRAS Remote Code Execution and Bluetooth Visibility Bug
## CVE Details
*Note: The primary article discusses an OOB stability hotpatch that carries security fixes for the following CVEs.*
- **CVE ID:** CVE-2026-XXXXX (Specific IDs not listed, but refers to three high-severity RRAS vulnerabilities)
- **CVSS Score:** Not explicitly stated (Categorized as "High-Severity")
- **CWE:** Likely CWE-94 (Improper Control of Generation of Code) or CWE-20 (Improper Input Validation) based on RCE description.
## Affected Systems
- **Products:** Windows 11 Enterprise (Hotpatch-enabled)
- **Versions:** Windows 11, version 24H2 and 25H2
- **Configurations:** Systems receiving hotpatch updates specifically; standard Windows Update branches are not affected by the Bluetooth visibility bug described. For the RRAS flaw, domain-joined client devices used for remote server management are the primary targets.
## Vulnerability Description
This summary covers two distinct issues addressed in the emergency release:
1. **Bluetooth Visibility Issue:** A functional flaw in hotpatch-enabled Windows 11 Enterprise where Bluetooth devices disappear from "Windows Settings" and "Quick Settings" UI. While devices remain connected and functional, the UI failure prevents users from managing or adding new devices.
2. **RRAS RCE Vulnerability:** Three high-severity flaws in the Windows Routing and Remote Access Service (RRAS) management tool. The vulnerability occurs when the RRAS Snap-in processes a request to a malicious server, leading to remote code execution on the client machine.
## Exploitation
- **Status:**
- Bluetooth Visibility: Functional bug, no exploitation.
- RRAS RCE: No report of exploitation in the wild at this time.
- **Complexity:** High (Requires tricking an authenticated domain user into connecting to a malicious server).
- **Attack Vector:** Network (Targeting the RRAS Snap-in).
## Impact
- **Confidentiality:** High (Full system compromise via RCE)
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- **KB5084897:** Out-of-band (OOB) cumulative hotpatch for Windows 11 24H2/25H2 (released March 16, 2026). This update includes all March 2026 security patches and the Bluetooth UI fix.
- **KB5084597:** Previous OOB hotpatch (released March 13, 2026) specifically addressing the RRAS vulnerabilities.
### Workarounds
- For the Bluetooth issue: No manual workaround provided other than applying the OOB hotpatch.
- For RRAS: Avoid using the RRAS Snap-in to connect to untrusted or unknown remote servers.
## Detection
- **Indicators of Compromise:** Unusual outbound traffic from the RRAS Snap-in (mmc.exe) to unverified external IP addresses.
- **Detection Methods:** Monitor for "hotpatch" installation status via Windows Update history. Verify that systems are on build versions corresponding to KB5084897.
## References
- Microsoft Message Center: [https[:]//learn[.]microsoft[.]com/en-us/windows/release-health/windows-message-center#3802]
- Microsoft Hotpatch Documentation: [https[:]//learn[.]microsoft[.]com/en-us/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates]
- KB Support Article: [https[:]//support[.]microsoft[.]com/topic/74c779d7-e666-49a2-a809-1cbb31a79e7f]