Microsoft: Out-of-band update for hotpatch Windows 11

Microsoft has released an out-of-band update for Windows 11 clients, particularly in enterprise environments. It is intended for machines that have hotpatching enabled.

In the Message Center of the Windows Release Health notes, Microsoft explains that the update corrects security vulnerabilities in the management tool of the Routing and Remote Access Service (RRAS), which allows attackers to inject and execute malicious code when connecting vulnerable clients to malicious servers. It concerns a collection of three vulnerabilities (CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111). The Hotpatch KB5084597 from Friday this week brings the Windows builds to numbers 26200.7982 and 26100.7982 respectively, thus affecting Windows 11 25H2 and 24H2.

The out-of-band update is only necessary for Windows 11 devices that have hotpatching enabled and are used for remote server management, Microsoft further explains. Standard desktop clients therefore require no further action.

Unplanned hotfix includes fixes from March

The out-of-band hotfix is cumulative and also includes the bug fixes that Microsoft released in this week's Windows updates for the March Patchday. Microsoft emphasizes that the update will be automatically distributed to Windows 11 versions 25H2 and 24H2 devices that have hotpatches enabled and are managed with Windows Autopatch. Since Microsoft has provided hotpatches for Windows 11 with Windows Autopatch as the default configuration since mid-last year, some machines are likely to be affected. The updates also take effect without a restart due to hotpatching. Those who use neither hotpatches nor the RRAS management tool do not need to do anything, the developers further explain.

In the three CVE entries, Microsoft explains that the hotpatches have been re-released to ensure comprehensive coverage across all affected scenarios. Microsoft advises customers there to apply the updated updates to ensure full protection.

(dmk)