Microsoft Issues Emergency Patch for Critical Windows 11 RRAS Vulnerabilities

Microsoft Issues Emergency Patch for Critical Windows 11 RRAS Vulnerabilities

Microsoft Issues Emergency Patch for Critical Windows 11 RRAS Vulnerabilities

Image: B Design/Adobe

Microsoft releases an out-of-band hotpatch for critical Windows 11 RRAS vulnerabilities that could allow remote code execution through malicious remote servers.

Written By
Ken Underhill
Ken Underhill
Mar 16, 2026
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.

Microsoft has issued an out-of-band security update to address several critical vulnerabilities in Windows 11 that could allow attackers to execute malicious code through the system’s remote access management tools.

The patch targets flaws in the Windows Routing and Remote Access Service (RRAS) and is being delivered as a hotpatch, allowing systems to receive the fix without requiring a restart.

If a user connects to a malicious remote server, “… an attacker could disrupt the tool or run code on your device,” Microsoft warns in its advisory.

Inside the Windows RRAS vulnerabilities

The update addresses three vulnerabilities in the Windows RRAS management tool.

RRAS plays a critical role in many enterprise networks by enabling administrators to manage remote access services, including VPN connectivity, routing functions, and remote administration.

The flaws are tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, each of which could allow an attacker to execute arbitrary code or disrupt system operations under certain conditions.

CVE-2026-25172

CVE-2026-25172 is a remote code execution vulnerability in the RRAS management tool that can be triggered when a user or administrator connects to a malicious server through the RRAS interface.

A specially crafted response from the attacker-controlled server could allow the attacker to disrupt service operations or execute arbitrary code on the victim’s system, potentially giving the attacker control over the affected device.

CVE-2026-25173

CVE-2026-25173 is a related vulnerability affecting the same RRAS management component.

Similar to CVE-2026-25172, exploitation occurs when a user or administrator connects to an attacker-controlled server. Once the connection is established, the attacker may be able to execute code on the victim system or trigger a denial-of-service condition that disrupts RRAS functionality.

Advertisement

CVE-2026-26111

CVE-2026-26111 is an additional vulnerability in the RRAS management tool that further increases the risk of remote code execution during interactions with malicious servers.

While the exploitation scenario is similar, this flaw compounds the overall threat by providing another pathway for attackers to execute malicious code or destabilize the service during remote management operations.

All three vulnerabilities share a similar attack scenario centered on how the RRAS management tool interacts with remote servers.

In a potential exploitation scenario, an attacker could configure a malicious or rogue server designed to interact with the RRAS interface. If a system administrator or user attempts to connect to that server through the management tool, the malicious server could exploit the vulnerability during the connection process.

Although exploitation requires user interaction, the vulnerabilities are particularly dangerous because RRAS operates with elevated privileges. This potentially allows attackers to deploy malware, alter network configurations, or gain a foothold for lateral movement.

Microsoft did not report any active exploitation of these vulnerabilities in their advisory.

How organizations can reduce RRAS risk

Because RRAS services often operate with elevated privileges and play a central role in enterprise connectivity, a successful compromise could have significant operational and security impacts.

Organizations should implement layered defenses that limit exposure, restrict administrative access, and improve visibility.

  • Apply the latest patch to affected Windows 11 systems and test it in a staging environment before deploying it to production.
  • Restrict RRAS management access to authorized administrators only using role-based access control (RBAC), privileged access management, or just-in-time (JIT) access to reduce the number of users who can initiate remote connections.
  • Disable the RRAS role or management tools on systems where they are not required to reduce the overall attack surface and limit opportunities for exploitation.
  • Restrict connections to trusted remote servers and implement outbound network filtering or firewall rules to prevent administrative systems from connecting to unknown or attacker-controlled hosts.
  • Segment remote access infrastructure and administrative workstations onto dedicated management networks to limit lateral movement if a system is compromised.
  • Deploy EDR and centralized logging to monitor for suspicious RRAS activity, unusual outbound connections, or unexpected process execution tied to remote access tools.
  • Regularly test incident response plans and use attack simulation tools with scenarios around the exploitation of remote management tools.

Collectively, these measures can help organizations reduce exposure to RRAS-related threats while strengthening overall resilience against attempts to exploit remote management infrastructure.

This article originally appeared on our sister website, eSecurityPlanet.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.