Out-of-Band Patch for Windows (and why it matters)

-


 


Windows 11 (25H2, 24H2, and LTSC 2024) that Microsoft released on March 13–14, 2026 to fix critical RRAS remote code execution vulnerabilities. It installs without requiring a reboot on systems that support hotpatching.

What KB5084597 Addresses

Microsoft issued this update to patch three RRAS (Routing and Remote Access Service) management tool vulnerabilities:

  • CVE‑2026‑25172 — RRAS RCE
  • CVE‑2026‑25173 — RRAS RCE
  • CVE‑2026‑26111 — RRAS RCE

These flaws stem from an integer overflow/wraparound condition. If an administrator’s RRAS management tool connects to a malicious remote server, an attacker could:

  • Disrupt the RRAS management tool
  • Execute code on the administrator’s device

This makes the vulnerabilities particularly dangerous in enterprise environments where RRAS is used for VPN, NAT, routing, and site‑to‑site connectivity.

Why This Update Is Out‑of‑Band

Microsoft released KB5084597 outside the normal Patch Tuesday cycle because the vulnerabilities are considered high‑risk. The hotpatch mechanism allows Microsoft to:

  • Deliver the fix immediately
  • Avoid requiring a system restart
  • Minimize downtime for enterprise systems

Hotpatching is available only on eligible Windows 11 24H2/25H2 and LTSC 2024 systems that meet Microsoft’s prerequisites.

Affected OS Builds After Installation

KB5084597 updates systems to:

  • OS Build 26200.7982 (Windows 11 25H2)
  • OS Build 26100.7982 (Windows 11 24H2)

Deployment Notes

  • Hotpatch‑enabled devices install this automatically.
  • No restart is required.
  • Microsoft reports no known issues with this update.

Why It Matters for Security Teams

For environments using RRAS—even indirectly—this patch closes a path where a compromised or malicious server could escalate to code execution on an admin workstation, which is a high‑value target. The no‑reboot nature also makes it easier to deploy quickly across production systems.

Given your role overseeing infrastructure and security, this update is one you’d want to ensure is applied across any hotpatch‑eligible endpoints, especially admin workstations or servers with RRAS tooling installed.


Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more