Microsoft has rolled out KB5084597, an out-of-band security hotpatch for Windows 11 25H2 and 24H2 that fixes critical RRAS vulnerabilities on managed enterprise devices.
Microsoft has released KB5084597, an out-of-band hotpatch for Windows 11 25H2 and 24H2 that targets a security issue in the Windows Routing and Remote Access Service management tool. The update moves eligible systems to OS Builds 26200.7982 and 26100.7982 and was published on March 13, 2026.
KB5084597 fixes an RRAS security issue
According to Microsoft's support page, KB5084597 fixes a vulnerability in the Windows Routing and Remote Access Service, or RRAS, management tool. Microsoft says that if a user connects to a malicious remote server, an attacker could disrupt the tool or run code on the device. The company links the hotpatch to CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111.
That makes this a more focused release than a standard Patch Tuesday cumulative update. Microsoft's changelog lists only the networking security fix, which suggests the patch was pushed out specifically to close the RRAS-related hole rather than bundle a wider set of non-security changes.
This hotpatch is not for every Windows 11 PC
The catch is that KB5084597 is not a broad consumer rollout in the usual sense. Microsoft says the update is offered only to hotpatch-enabled devices, and adds that no action is required for PCs receiving standard Windows updates. The patch downloads automatically through Windows Update on eligible systems and takes effect without requiring a restart.
Microsoft's hotpatch documentation says these updates are monthly security releases designed to install without rebooting, with the goal of improving compliance while reducing disruption. The same documentation says hotpatch requires Windows Autopatch and is intended for managed devices enrolled in an appropriate quality update policy.
Hotpatch now reaches more Arm64 Windows 11 devices
Microsoft also says hotpatch is now generally available for Windows 11 25H2 and 24H2 Arm64 devices, but only if they meet a fairly specific set of requirements. On the KB5084597 page, Microsoft lists Windows 11 Enterprise, Intune with a hotpatch-enabled policy, an eligible license, virtualization-based security enabled, and compiled hybrid PE disabled as prerequisites for Arm64 devices.
That means KB5084597 is more relevant to enterprise IT admins than ordinary home users. For managed fleets that qualify, though, the update shows exactly why Microsoft keeps pushing hotpatch: a security fix can go out immediately, apply automatically, and avoid the reboot that would normally interrupt work.
Microsoft lists no known issues so far
As of publication, Microsoft says it is not currently aware of any known issues with KB5084597. That is notable given how often emergency or out-of-band Windows patches raise deployment concerns, especially when they touch security-sensitive networking components. Microsoft's Feedback Hub can be used to report any issues.
Source(s) Microsoft support KB5084597
Comments
Please log in or register to join the discussion