Executive Summary
In March 2026, Microsoft identified critical remote code execution (RCE) vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool, specifically affecting Windows 11 Enterprise devices utilizing hotpatch updates. These vulnerabilities, tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, could be exploited by authenticated attackers to execute arbitrary code by tricking domain-joined users into connecting to malicious servers via the RRAS Snap-in. To address these issues, Microsoft released an out-of-band (OOB) hotpatch update (KB5084597) on March 13, 2026, targeting Windows 11 versions 25H2, 24H2, and Enterprise LTSC 2024 systems. This hotpatch allows for in-memory patching of running processes, enabling immediate protection without necessitating a system reboot, which is crucial for mission-critical applications that cannot afford downtime. The release underscores the importance of timely patch management and the need for organizations to stay vigilant against emerging threats that exploit network services. As cyber attackers continue to target remote access services, it is imperative for enterprises to implement robust security measures, including regular updates and user education, to mitigate potential risks.
Why This Matters Now
The exploitation of RRAS vulnerabilities highlights the increasing sophistication of cyber threats targeting remote access services. Organizations must prioritize the application of security patches and enhance monitoring of network activities to prevent potential breaches.
Attack Path Analysis
An attacker exploits a vulnerability in the Windows Routing and Remote Access Service (RRAS) by tricking a domain-joined user into connecting to a malicious server, leading to remote code execution. The attacker then escalates privileges to gain higher-level access, moves laterally within the network to compromise additional systems, establishes command and control channels to maintain persistent access, exfiltrates sensitive data, and finally, disrupts services or deploys ransomware to achieve their objectives.
Kill Chain Progression
Initial Compromise
Description
An attacker exploits a vulnerability in the Windows Routing and Remote Access Service (RRAS) by tricking a domain-joined user into connecting to a malicious server, leading to remote code execution.
Related CVEs
CVE-2026-26111
CVSS 8Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.
Affected Products:
Microsoft Windows 11 – 25H2, 24H2, Enterprise LTSC 2024
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploitation of Remote Services
Valid Accounts
Exploitation for Client Execution
Hijack Execution Flow
Impair Defenses
Obfuscated Files or Information
File and Directory Discovery
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical exposure through RRAS remote management tools used for domain administration, enabling attackers to exploit CVE-2026-25172/25173/26111 vulnerabilities for remote code execution attacks.
Information Technology/IT
High-risk sector managing Windows 11 Enterprise environments with RRAS services, facing immediate threats from authenticated domain attackers exploiting remote access service vulnerabilities.
Financial Services
Mission-critical systems requiring hotpatch updates face RCE vulnerabilities in Windows routing services, with compliance implications under PCI and NIST frameworks for secure connectivity.
Health Care / Life Sciences
HIPAA-regulated environments using Windows Enterprise systems vulnerable to RRAS exploitation, requiring immediate hotpatch deployment to maintain encrypted traffic and access control compliance.
Sources
- Microsoft releases Windows 11 OOB hotpatch to fix RRAS RCE flawhttps://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-11-oob-hotpatch-to-fix-rras-rce-flaw/Verified
- March 13, 2026—Hotpatch KB5084597 (OS Builds 26200.7982 and 26100.7982) Out-of-bandhttps://support.microsoft.com/en-us/topic/march-13-2026-hotpatch-kb5084597-os-builds-26200-7982-and-26100-7982-out-of-band-ef323fee-e70f-4f43-8bbc-1021c435bf5cVerified
- NVD - CVE-2026-26111https://nvd.nist.gov/vuln/detail/CVE-2026-26111Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may be constrained by identity-aware policies that limit unauthorized connections, reducing the likelihood of successful exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could be limited by enforcing least-privilege access controls, reducing the scope of accessible resources.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may be constrained by segmenting network traffic and enforcing strict access controls between workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels could be detected and disrupted through continuous monitoring and control of network traffic across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may be limited by enforcing strict egress policies that control outbound data flows.
The attacker's ability to disrupt services or deploy ransomware could be constrained by limiting their access to critical systems and data.
Impact at a Glance
Affected Business Functions
- Remote Server Management
- Network Routing Services
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive network configurations and access credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, preventing unauthorized lateral movement.
- • Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
- • Apply Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Regularly update and patch systems to remediate known vulnerabilities, reducing the risk of exploitation.
