Vulnerabilities & Alerts

Microsoft OOB hotpatch KB5084597 addresses three RCE vulnerabilities in RRAS MMC snap-in

by  • 

On March 13, 2026, Microsoft released out-of-band update KB5084597 to remediate three remote code execution (RCE) vulnerabilities in the RRAS (Routing and Remote Access Service) MMC snap-in: CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111.

Attack surface and exploitation vector

The vulnerability resides in the RRAS MMC snap-in used for remote server management. The attack vector is client-side: the management workstation is the target, not the RRAS server itself. A domain-authenticated attacker must trick a domain-joined user into initiating a connection from the RRAS snap-in to an attacker-controlled malicious server. Exploitation abuses the implicit trust relationship between the domain-joined endpoint and the MMC management component during remote management session establishment.

Affected scope

Exclusively Windows 11 Enterprise devices (24H2, 25H2, LTSC 2024) enrolled in the Windows Autopatch hotpatch program and used for remote administration via the RRAS snap-in. RRAS servers themselves are not within the scope of this specific update.

Delivery mechanism: hotpatch vs cumulative update

All three CVEs were already remediated in the March 10, 2026 Patch Tuesday cumulative update, which requires a reboot. For hotpatch-enrolled devices, KB5084597 applies fixes via in-memory patching of running processes, with no reboot required. On-disk files are simultaneously updated to ensure fix persistence across the next scheduled reboot. Microsoft indicates it re-released this hotpatch to ensure comprehensive coverage across all affected scenarios.

Actions for patch management and VOC teams

  • Identify Windows 11 Enterprise 24H2/25H2/LTSC 2024 endpoints enrolled in Windows Autopatch and verify automatic deployment of KB5084597 in the Autopatch console.
  • For non-Autopatch endpoints: confirm the March 10, 2026 cumulative update has been applied and that a reboot has occurred.
  • Prioritize endpoints used for remote server administration via RRAS (admin profiles, jump hosts, Windows bastion hosts).
  • All three CVEs carry an identical description, suggesting a uniform CVSS score — to be confirmed on the MSRC advisory upon official publication.

Sources:

  1. BleepingComputer – Microsoft releases Windows 11 OOB hotpatch to fix RRAS RCE flaw (March 14, 2026) : https://www.bleepingcomputer.com/news/security/microsoft-releases-windows-11-oob-hotpatch-to-fix-rras-rce-flaw/
  2. Microsoft Support – KB5084597 (March 13, 2026) : https://support.microsoft.com/en-us/topic/kb5084597
  3. CVE-2026-25172 : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25172
  4. CVE-2026-25173 : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25173
  5. CVE-2026-26111 : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26111