Image: B Design/Adobe
Microsoft releases an out-of-band hotpatch for critical Windows 11 RRAS vulnerabilities that could allow remote code execution through malicious remote servers.
Microsoft has issued an out-of-band security update to address several critical vulnerabilities in Windows 11 that could allow attackers to execute malicious code through the system’s remote access management tools.
The patch targets flaws in the Windows Routing and Remote Access Service (RRAS) and is being delivered as a hotpatch, allowing systems to receive the fix without requiring a restart.
If a user connects to a malicious remote server, “… an attacker could disrupt the tool or run code on your device,” Microsoft warns in its advisory.
The update addresses three vulnerabilities in the Windows RRAS management tool.
RRAS plays a critical role in many enterprise networks by enabling administrators to manage remote access services, including VPN connectivity, routing functions, and remote administration.
The flaws are tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, each of which could allow an attacker to execute arbitrary code or disrupt system operations under certain conditions.
CVE-2026-25172 is a remote code execution vulnerability in the RRAS management tool that can be triggered when a user or administrator connects to a malicious server through the RRAS interface.
A specially crafted response from the attacker-controlled server could allow the attacker to disrupt service operations or execute arbitrary code on the victim’s system, potentially giving the attacker control over the affected device.
CVE-2026-25173 is a related vulnerability affecting the same RRAS management component.
Similar to CVE-2026-25172, exploitation occurs when a user or administrator connects to an attacker-controlled server. Once the connection is established, the attacker may be able to execute code on the victim system or trigger a denial-of-service condition that disrupts RRAS functionality.
CVE-2026-26111 is an additional vulnerability in the RRAS management tool that further increases the risk of remote code execution during interactions with malicious servers.
While the exploitation scenario is similar, this flaw compounds the overall threat by providing another pathway for attackers to execute malicious code or destabilize the service during remote management operations.
All three vulnerabilities share a similar attack scenario centered on how the RRAS management tool interacts with remote servers.
In a potential exploitation scenario, an attacker could configure a malicious or rogue server designed to interact with the RRAS interface. If a system administrator or user attempts to connect to that server through the management tool, the malicious server could exploit the vulnerability during the connection process.
Although exploitation requires user interaction, the vulnerabilities are particularly dangerous because RRAS operates with elevated privileges. This potentially allows attackers to deploy malware, alter network configurations, or gain a foothold for lateral movement.
Microsoft did not report any active exploitation of these vulnerabilities in their advisory.
Because RRAS services often operate with elevated privileges and play a central role in enterprise connectivity, a successful compromise could have significant operational and security impacts.
Organizations should implement layered defenses that limit exposure, restrict administrative access, and improve visibility.
Collectively, these measures can help organizations reduce exposure to RRAS-related threats while strengthening overall resilience against attempts to exploit remote management infrastructure.
This article originally appeared on our sister website, eSecurityPlanet.
Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.
