Emergency updates for Windows 11 have become increasingly common of late, and Microsoft has just pushed out yet another out-of-band update. This time around it is enterprise users receiving a patch, in the form of the KB5084597 hotpatch update.
Available for Windows 11 versions 25H2 and 24H2, the update addresses an RRAS RCE flaw. Left unpatched, the vulnerability could allow for malicious code to run on a targeted device.
Microsoft explains that this is an hotpatch update and will therefore only be delivered to devices on which hotpatching has been enabled. This may seem like something fairly obvious for the company to point out, but it remains something that can be a source of confusion for some people:
Note: This hotpatch update is offered only to hotpatch‑enabled devices. No action is required for devices that receive standard Windows updates.
This hotpatch update will install and take effect without requiring you to restart the device. For more information see Hotpatch updates.
The availability of hoptpatching is also explained in a note:
Hotpatch is now generally available for Windows 11, version 25H2 and 24H2 (Arm64) devices. To get started, check the prerequisites, disable Compiled Hybrid PE (CHPE), and enroll the devices in a quality update policy with Hotpatch enabled. For more information, see prerequisites.
In the release notes for the KB5084597 hotpatch update, Microsoft explains what function it serves.
- [Networking] This update addresses a security issue in the Windows Routing and Remote Access Service (RRAS) management tool. If you connect to a malicious remote server, an attacker could disrupt the tool or run code on your device. For more information about these security fixes, see CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111.
The descriptions of CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111 explain the nature of the flaw:
Executive Summary
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.
How could an attacker exploit this vulnerability?
An attacker authenticated on the domain could exploit this vulnerability by tricking a domain-joined user into sending a request to a malicious server via the Routing and Remote Access Service (RRAS) Snap-in. This could result in the server returning malicious data that might cause arbitrary code execution on the user’s system.
Image credit: Davide Bonaldo / Dreamstime.com
