Microsoft has deployed an emergency out-of-band update (KB5084597) to fix critical vulnerabilities in the Windows Routing and Remote Access Service (RRAS). The patch applies to Windows 11 Enterprise environments utilizing hotpatch functionality. If left unpatched, these issues could be exploited to execute arbitrary code remotely.

Vulnerability Details

CVE-2026-25172 – Windows RRAS integer overflow vulnerability

Description:
CVE-2026-25172 is an integer overflow or wraparound vulnerability in the Windows Routing and Remote Access Service (RRAS), with a CVSS score of 8.8 (High). The flaw arises due to improper handling of integer values within RRAS components. An authenticated attacker within the domain could exploit this vulnerability by convincing a domain-joined user to send a specially crafted request to a malicious server via the RRAS Snap-in, potentially leading to remote code execution.

Impact:

• Remote Code Execution (RCE)
• Unauthorized System Access

CVE-2026-25173 – Windows RRAS integer overflow vulnerability

Description:
CVE-2026-25173 is an integer overflow or wraparound vulnerability affecting the Windows RRAS component. The issue stems from improper validation of input data, which may allow an authenticated attacker to manipulate memory operations. Exploitation requires social engineering to trick a domain user into interacting with a malicious RRAS server, which could result in arbitrary code execution.

Impact:

• Remote Code Execution (RCE)
• Compromise of Affected System

CVE-2026-26111 – Windows RRAS integer overflow vulnerability

Description:
CVE-2026-26111 is an integer overflow or wraparound vulnerability in Windows RRAS caused by improper handling of boundary conditions. An attacker authenticated to the domain could exploit this vulnerability by leveraging the RRAS Snap-in to induce a victim system to communicate with a malicious server, potentially leading to execution of attacker-controlled code.

Impact:

• Remote Code Execution (RCE)
• System Compromise

Affected Products

The vulnerabilities impact the following products and versions:

• Windows 11 versions 25H2
• Windows 11 versions 24H2
• Windows 11 Enterprise LTSC 2024 systems

Mitigation & Recommendations

To address these vulnerabilities, Microsoft has released an out-of-band hotpatch update (KB5084597). This update applies to affected Windows 11 versions, including 25H2, 24H2, and Enterprise LTSC 2024 systems. It incorporates all security fixes and improvements from the March 2026 cumulative update. Organizations are strongly advised to apply this update to ensure systems are protected against potential exploitation.

In addition to applying the patch, consider the following measures:

• Block inbound RRAS traffic from untrusted networks at the network perimeter using firewall controls.
• For environments where RRAS is required, implement additional safeguards such as routing access through secured VPN infrastructure.
• Ensure systems are enrolled in the hotpatch update program and managed via Windows Autopatch to enable seamless deployment without requiring system restarts.

Tactics and Techniques

• TA0002 – Execution: An attacker could execute malicious code on the affected system.
• TA0001 – Initial Access: An attacker could gain initial access to the system by exploiting these vulnerabilities.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.