(http://iili.io/qhh9dwN.png)
Emergency Windows 11 update confirmed by Microsoft.
SOPA Images/LightRocket via Getty Images
Updated March 18: Following confirmation of an emergency, out-of-band, security update impacting Windows 11 versions 25H2, 24H2 and Windows 11 Enterprise LTSC 2024, this article has been updated with a statement by Microsoft in response to a request for clarification on the reasons for the update after the Patch Tuesday rollout which appeared to have already addressed the CVE-2026-25172, CVE-2026-25173 and CVE-2026-26111 Windows Routing and Remote Access Service vulnerabilities.
Patch Tuesday has been and gone, but the monthly security updates from Microsoft just keep on coming. The latest is an emergency, out-of-band, hotpatch (http://www.forbes.com/sites/daveywinder/2025/04/30/microsoft-confirms-150-windows-security-update-fee-starts-july-1/) for a subset of Windows 11 enterprise users that addresses a bunch of criticial security vulnerabilities impacting the Routing and Remote Access Service which could give attackers the ability to execute remote code and, potentially, take control of the impacted device. Here’s what we know about the Common Vulnerabilities and Exposures designated as CVE-2026-25172, CVE-2026-25173 and CVE-2026-26111, and the emergency update itself itself.
Microsoft Windows 11 Hotpatch Security Update—What The Enterprise Needs To Know
The latest out-of-band security update from Microsoft is, truth be told, something of an oddity. I say that as it is a fix for three critical vulnerabilities that had already been addressed by the March Patch Tuesday rollout.
The Microsoft security advisory stated: “This issue only applies to a limited set of scenarios involving Enterprise client devices running hotpatch updates and being used for remote server management." The three vulnerabilities all affect the Windows Routing and Remote Access Service management tool, and connecting to a malicious server could be all it takes to trigger the attack chain.
CVE-2026-25172, CVE-2026-25173 and CVE-2026-26111 are all remote code execution vulnerabilities, using access to a malicious server by way of the RRAS interface to start exploitation. The official description from the Microsoft Security Response Center is that of an “integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network”
In other words, and here’s the important bit, an attacker who is already authenticated on the domain could essentially trick a domain-joined user to send a request to the malicious server via the RRAS snap-in. Given that a patch had already been made available, you may be wondering why there’s a need for this emergency hotpatch. The answer lies with the fact that the Patch Tuesday fix requires a device reboot, and something running your critical applications or services isn’t open to rebooting on a whim, for obvious reasons.
Which is where the hotpatch system comes into play, as it doesn’t require the reboot. A hotpatch will download and install in the background, deployed within the in-memory code of already running processes.
Microsoft has also confirmed that it will enable hotpatch security updates by default, through the Windows Autopatch enterprise service, with the release of the Windows security update in May for those managing devices using Intune and the Graph API.
“This change in approach patches devices significantly faster since they aren’t waiting for that restart. To see how this is working in the real world, we asked four different companies with 30-70K devices about their gains in the number of days to security compliance. They all reported achieving 90% patch compliance in half the previous time, without making any policy changes,” Microsoft said. “Today, there are over 10 million production devices enrolled in hotpatch updates,” the Microsoft announcement continued, “showing the level of adoption and trust companies like yours have in this capability.” Microsoft also teased that additional IT controls will be released in April for organizations not yet ready for this change.
Microsoft Issues Statement Providing Clarification On Windows 11 Out-Of-Band Hotpatch Security Update
“This hotpatch update is offered only to hotpatch‑enabled devices. No action is required for devices that receive standard Windows updates,” Microsoft said. According to Bleeping Computer, Microsoft had “previously released hotfixes for these flaws,” but re-released them to "ensure comprehensive coverage across all affected scenarios." What those scenarios were, and why the emergency hotpatch update was necessary, isn’t immediately clear.
I reached out to Microsoft for clarification, and a spokesperson provided the following statement: “We identified that the Routing and Remote Access Service (RRAS) vulnerability could affect Enterprise devices deploying Windows hotpatch updates on Windows 11, versions 24H2 and 25H2. To address this scenario, we released an out-of-band hotpatch update (KB5084597) for hotpatch-enabled devices, allowing rapid installation without requiring a restart. Currently, there is no indication of exploitation, and we recommend customers follow the updated CVE guidance to remain protected.”
source (http://www.forbes.com/sites/daveywinder/2026/03/18/emergency-microsoft-windows-11-security-update-confirmed/)