Enterprise IT teams managing Windows 11 machines without the luxury of scheduled reboots have a new patch to deploy — and the vulnerability it fixes is serious enough that Microsoft pushed it outside its normal update cycle.
On March 13, 2026, Microsoft released an out-of-band (OOB) hotpatch — KB5084597 — targeting a trio of remote code execution (RCE) flaws in the Windows Routing and Remote Access Service (RRAS), a built-in management tool used by IT admins to configure remote servers. What makes this notable isn't just the severity of the bugs, but the gap it exposes in how enterprise patching works in practice.
The three vulnerabilities — CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111 — were technically addressed during March's Patch Tuesday rollout on March 10. The catch? Applying those fixes requires a system reboot. For mission-critical enterprise environments running applications that simply can't go offline, that reboot never comes — leaving a window of exposure that attackers could exploit.
All three flaws share the same attack path. A domain-authenticated attacker could trick a user into routing a request through the RRAS Snap-in (a management console) toward a malicious server. If successful, the attacker could either crash the tool or execute arbitrary code on the victim's device — a significant foothold in any corporate network.
Microsoft's hotpatch solution sidesteps the reboot problem by patching running processes directly in memory, while simultaneously updating files on disk so the fix survives the next restart. It's a surgical approach designed specifically for environments where uptime is non-negotiable.
There's an important caveat, though: KB5084597 is only available to devices enrolled in Microsoft's hotpatch program and managed through Windows Autopatch. It covers Windows 11 versions 24H2, 25H2, and Enterprise LTSC 2024. Standard Windows Update users were already protected after Patch Tuesday — no additional action is needed there.
Microsoft acknowledged it had previously issued hotfixes for these CVEs but re-released KB5084597 to ensure full coverage across all affected deployment scenarios.
What you should do: If your organisation runs Windows 11 Enterprise on hotpatch-enrolled devices, verify that KB5084597 (OS Builds 26200.7982 or 26100.7982) has been applied via Windows Autopatch. If you're on standard updates, your March 10 cumulative update already has you covered — provided that reboot actually happened.