Microsoft launched an off-cycle update yesterday for Windows 11 Enterprise teams that receive the so-called hotpatches instead of the usual cumulative updates on the second Tuesday of each month. The correction, distributed as KB5084597, addresses failures in the RRAS management tool that could allow remote code execution if a computer connects to a malicious server.
According to Microsoft, the resolved vulnerabilities are identified as CVE-2026-25172, CVE-2026-25173 and CVE-2026-26111. In all three cases, the attack requires a user of a computer attached to the domain to be deceived for the RRAS console to establish a connection to a server controlled by the attacker, which could result in the execution of code on the administrative machine.
The KB5084597 hotpatch covers Windows 11 facilities in the 25H2 and 24H2 versions, as well as Windows 11 Enterprise LTSC 2024 systems. Microsoft clarifies that these corrections were already part of the security updates published in the March Patch Tuesday, but have been reissued in hotpatch format to ensure coverage in scenarios where a scheduled restart is not viable as in equipment that supports critical services and must remain in continuous operation.
The key difference between a normal cumulative update and a hotpatch is its application mode. While accumulations usually require reboot the system so that disk files are updated and processes are reinitiated, hotpatches apply memory changes to mitigate vulnerabilities without interrupting running services and, at the same time, update the disk files so that the correction persists after the next start. Microsoft explains this mechanism and its management within Windows Autopatch in its dedicated documentation to hotpatch updates.
It is important to stress that this hotpatch will be offered alone a devices that are registered in the hotpatch program and managed by Windows Autopatch; in these equipment the update is installed automatically and without request for reboot. For the rest of the environments, protection against these failures continues to be the installation of cumulative updates published in March and, if not managed by Autopatch, plan the necessary restart to complete the repair.
From a practical and security perspective, there are several conclusions and steps that any infrastructure manager should consider. First, check which machines of the organization are registered in Windows Autopatch and, if not, prioritize the installation of cumulative updates and schedule the restart in maintenance windows. Second, limit the use of administrative consoles and prevent management equipment from connecting to unreliable servers; the risk described depends precisely on the RRAS tool being connected to a malicious end. Third, review network segmentation and access policies to reduce the exposure of administrative stations to unverified external servers.
Microsoft already indicated that it had published previous hotfixes for these failures and that the distributed version now aims to closing gaps in all affected scenarios. Even so, managers should read the KB technical input and vulnerability pages to understand the exact scope and confirm the steps to be taken in their environment. The hotpatch support note is available on the Microsoft page mentioned above, and the detailed entries of each CVE can be found in the Microsoft security catalog: Microsoft Security Response Center.
If you manage equipment that is not part of the hotpatch program and cannot allow frequent restarts, it is appropriate to plan an additional mitigation strategy: to restrict remote administration through controlled networks, to use dedicated management stations with the minimum installed software, and to apply access controls that reduce the likelihood that an authenticated user is induced to establish connections with malicious servers.
In short, the emergence of KB5084597 recalls two simple but relevant ideas: the first, that remote management tools can become attack vectors if the connections they make are not controlled; the second, that technologies such as hotpatch seek to compensate for the operational limitations of critical environments, allowing to correct vulnerabilities without immediate rebeginning. For more information and to download the update if applicable, please refer to the Microsoft support note and the pages of the CVE that we link to above.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...