Microsoft Releases Out-of-Band Hotpatch KB5084597 for Critical Windows RRAS Remote Code Execution Vulnerabilities

Microsoft Rushes Emergency Hotpatch for Critical RCE Flaws in Windows RRAS

CRITICAL
March 13, 2026
5m read
VulnerabilityPatch ManagementCyberattack

Related Entities

Products & Tech

Windows 11 Windows Routing and Remote Access Service (RRAS)

CVE Identifiers

CVE-2026-25172
CRITICAL
CVEDetails.com CVE.org
CVE-2026-25173
CRITICAL
CVEDetails.com CVE.org
CVE-2026-26111
CRITICAL
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1210Lateral Movement

Exploitation of Remote Services

T1021.002Lateral Movement

SMB/Windows Admin Shares

T1078Defense Evasion

Valid Accounts

Full Report

Executive Summary

On March 13, 2026, Microsoft took the urgent step of releasing an out-of-band hotpatch, KB5084597, to remediate three critical vulnerabilities in the Windows Routing and Remote Access Service (RRAS). The flaws, tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, could enable remote code execution (RCE) on affected systems. The vulnerabilities reside in the RRAS management tool and can be exploited if an administrator is tricked into connecting to a malicious server. Given that RRAS is a fundamental component for enterprise VPN and routing, these vulnerabilities present a significant risk. The update is available for Windows 11 versions 25H2 and 24H2 and is being deployed automatically to devices enrolled in Windows Autopatch, with a zero-reboot installation for enabled systems.

Vulnerability Details

The emergency patch addresses three distinct vulnerabilities within the RRAS management tool:

  • CVE-2026-25172, CVE-2026-25173, CVE-2026-26111: While Microsoft has not provided deep technical specifics for each CVE, the collective threat allows for remote code execution. The attack vector requires an authenticated user (such as a network administrator) to connect their RRAS management tool to a malicious server controlled by the attacker. This interaction triggers the vulnerability.
  • One of the flaws is described as an integer overflow or wraparound. This class of vulnerability typically occurs when a mathematical operation results in a value that exceeds the maximum size for its integer type, which can lead to buffer overflows and subsequent arbitrary code execution.

The attack requires user interaction, but the target audience—network administrators with privileged access—makes any successful exploitation highly impactful.

Affected Systems

  • Operating System: Windows 11, version 25H2; Windows 11, version 24H2; Windows 11 Enterprise LTSC 2024.
  • Component: Windows Routing and Remote Access Service (RRAS) management tool.
  • Patch: KB5084597 (Cumulative update that also includes the March 10 security update).

Exploitation Status

As of the release, Microsoft has not indicated that these vulnerabilities are being actively exploited in the wild. However, the decision to issue an emergency out-of-band patch suggests that the flaws may be easily weaponized or that a proof-of-concept exploit is imminent. The 'Exploitation More Likely' assessment often accompanies such releases.

Impact Assessment

The business impact of these vulnerabilities is severe. RRAS is a cornerstone of remote access for many organizations, managing VPN connections and network routing. A successful RCE exploit on an administrator's machine could lead to a complete compromise of the network infrastructure. An attacker could:

  • Install malware or ransomware on the administrator's workstation and pivot to other systems.
  • Modify routing tables or VPN configurations to intercept or redirect sensitive corporate traffic.
  • Create rogue administrator accounts.
  • Exfiltrate sensitive data from the network.

The requirement for an administrator to connect to a malicious server means the attack is likely to be delivered via sophisticated social engineering or by compromising a legitimate server that the administrator trusts.

Cyber Observables for Detection

Hunting for exploitation of these vulnerabilities involves monitoring administrator activity and network traffic related to RRAS.

Type
network_traffic_pattern
Value
RRAS management connections to untrusted IPs
Description
Monitor for connections from administrator workstations using the RRAS protocol (e.g., PPTP, L2TP) to IP addresses outside of the known corporate or partner ranges.
Context
Firewall logs, NetFlow data
Confidence
high
Type
process_name
Value
rrasmgmt.dll or related processes
Description
Look for anomalous behavior associated with RRAS management processes, such as unexpected child processes or memory corruption errors.
Context
EDR logs, Windows System Event Log
Confidence
medium
Type
log_source
Value
Windows RRAS event logs
Description
A sudden spike in errors or unexpected disconnection/connection events in the RRAS logs could indicate an attempted exploit.
Context
Windows Event Viewer (Routing and Remote Access logs)
Confidence
medium
Type
command_line_pattern
Value
mmc.exe rrasmgmt.msc
Description
Monitor for unusual command-line arguments or execution patterns of the RRAS management console.
Context
EDR process creation logs
Confidence
low

Detection Methods

  • Log Analysis: Centralize and monitor Windows RRAS logs. Establish a baseline of normal connection patterns for administrators and alert on deviations, such as connections to new or suspicious external IP addresses. This aligns with D3FEND's D3-RAPA - Resource Access Pattern Analysis.
  • Network Traffic Analysis: Use network intrusion detection systems (NIDS) and traffic analysis tools to look for malformed RRAS packets or protocol anomalies that might indicate an exploit attempt.
  • Endpoint Monitoring: Deploy EDR to monitor the behavior of mmc.exe and its loaded modules (rrasmgmt.dll). Alert on any attempts by these processes to launch shells or write to sensitive system locations.

Remediation Steps

  1. Apply the Patch: The most critical action is to deploy the KB5084597 update immediately across all affected Windows 11 systems. Utilize Windows Update, WSUS, or the Microsoft Update Catalog. This is a direct application of D3FEND's D3-SU - Software Update.
  2. Prioritize Deployment: Prioritize patching for all administrator workstations and servers used for network management.
  3. Verify Installation: Confirm that the patch has been successfully installed. The hotpatching feature on supported Enterprise SKUs allows this to happen without a reboot, but verification is still essential.
  4. Restrict Access (Compensating Control): As a temporary measure, restrict the ability for RRAS management tools to connect to external, untrusted servers using perimeter firewall rules. This aligns with M1035 - Limit Access to Resource Over Network.

Timeline of Events

1
March 13, 2026
Microsoft releases emergency hotpatch KB5084597 for critical RRAS vulnerabilities.
2
March 13, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051

Immediately apply the KB5084597 security update to all affected Windows 11 systems.

Mapped D3FEND Techniques:

D3-SU

Filter Network Traffic

M1037

Restrict outbound RRAS management traffic from administrator workstations to only known, trusted servers.

Mapped D3FEND Techniques:

D3-NI

Privileged Account Management

M1026

Use just-in-time (JIT) access for administrative tasks and separate administrative accounts from standard user accounts to limit exposure.

Mapped D3FEND Techniques:

D3-LAM

Timeline of Events

1
March 13, 2026

Microsoft releases emergency hotpatch KB5084597 for critical RRAS vulnerabilities.

Sources & References

KB5084597: Microsoft outs Windows 11 25H2, 24H2 emergency update for a critical network flaw
Neowin (neowin.net) March 14, 2026
Windows message center
Microsoft (microsoft.com) March 13, 2026
Microsoft Releases Emergency Patch for Critical RRAS RCE Flaw in Windows 11
BleepingComputer (bleepingcomputer.com) March 16, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

MicrosoftWindows 11RRASVulnerabilityRemote Code ExecutionPatch ManagementHotpatch

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.