Microsoft released an out-of-band hotpatch on March 13, 2026—KB5084597—that addresses multiple high-risk vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool. This security update represents a significant advancement in Microsoft's patching strategy, allowing administrators to apply critical fixes without requiring system restarts that disrupt operations.

The hotpatch specifically targets vulnerabilities that could allow remote code execution (RCE) when an attacker sends specially crafted packets to an RRAS server. Microsoft has rated these vulnerabilities as \"Critical\" for Windows Server 2022, Windows Server 2019, and Windows Server 2016 systems running the RRAS role. The company's security advisory indicates successful exploitation could enable attackers to execute arbitrary code with SYSTEM privileges, potentially compromising entire networks.

What Makes This Hotpatch Different

Traditional Windows updates typically require system restarts to complete installation, forcing administrators to schedule maintenance windows that disrupt business operations. Hotpatching technology eliminates this requirement by applying security fixes directly to running processes in memory while leaving the underlying files on disk unchanged until the next scheduled restart.

KB5084597 leverages Microsoft's evolving hotpatch infrastructure, which has been gradually expanding since its introduction for Azure Stack HCI. This marks one of the first instances where the technology has been deployed for on-premises Windows Server installations addressing critical security vulnerabilities. The approach demonstrates Microsoft's commitment to minimizing operational disruption while maintaining security posture.

Technical Details of the RRAS Vulnerabilities

The vulnerabilities exist in how RRAS processes certain network packets. According to Microsoft's security documentation, the flaws could be exploited when RRAS receives specially crafted connection requests or routing information. Attackers could potentially chain these vulnerabilities to achieve remote code execution without authentication in some scenarios.

Microsoft has not disclosed specific details about the exploit mechanisms, following standard responsible disclosure practices. However, security researchers have confirmed that the vulnerabilities affect the core routing protocols handled by RRAS, including RIP (Routing Information Protocol) and OSPF (Open Shortest Path First). Organizations using RRAS for site-to-site VPNs, network address translation (NAT), or basic routing functions should prioritize this update.

Installation Requirements and Compatibility

KB5084597 requires specific conditions for installation. Systems must be running Windows Server 2022, Windows Server 2019, or Windows Server 2016 with the latest servicing stack update (SSU). The RRAS role must be installed and configured, though the service doesn't need to be actively processing traffic for the vulnerabilities to exist.

Microsoft recommends installing the update through Windows Update, Windows Server Update Services (WSUS), or the Microsoft Update Catalog. The hotpatch appears as an optional update in Windows Update, requiring manual approval in enterprise environments. Once installed, the fix takes effect immediately without requiring RRAS service restart or system reboot.

Enterprise Deployment Considerations

For organizations managing large server fleets, this hotpatch presents both opportunities and challenges. The ability to apply critical security fixes without scheduling maintenance windows significantly reduces operational overhead. However, administrators must verify compatibility with existing monitoring tools and ensure proper testing before widespread deployment.

Microsoft's documentation indicates the hotpatch has been tested with common network monitoring solutions and should not interfere with normal RRAS operations. Still, prudent administrators will test the update in isolated environments before deploying to production systems, particularly those handling critical network infrastructure.

Security Implications and Risk Assessment

The \"Critical\" rating reflects the potential impact of these vulnerabilities. RRAS servers often sit at network boundaries, making them attractive targets for attackers seeking initial network access. Successful exploitation could provide attackers with SYSTEM-level access to routing infrastructure, potentially enabling lateral movement across network segments.

Organizations should assess their exposure by identifying all systems running the RRAS role. Even servers configured for basic routing functions without VPN capabilities may be vulnerable. Microsoft's advisory suggests disabling unnecessary RRAS components as a temporary mitigation while preparing for update deployment.

Microsoft's Hotpatch Strategy Evolution

KB5084597 represents a milestone in Microsoft's hotpatch deployment strategy. Previously, hotpatching was primarily available for Azure-based services and select Windows 10/11 features. Expanding this capability to on-premises server roles addressing critical security vulnerabilities signals Microsoft's confidence in the technology's reliability.

The company has been gradually expanding hotpatch availability since introducing the technology for Windows Server Azure Edition. This expansion addresses one of the most persistent complaints from enterprise customers: the operational disruption caused by mandatory reboots for security updates.

Verification and Monitoring After Installation

After applying KB5084597, administrators should verify the update installed correctly by checking system update history and confirming the hotpatch appears in installed updates. Microsoft provides PowerShell commands to verify hotpatch status, though the specific commands for this update haven't been published yet.

Monitoring RRAS performance and stability for several days post-installation is recommended. While Microsoft has conducted extensive testing, edge cases in complex network configurations may reveal issues not caught during standard testing procedures. Administrators should pay particular attention to routing table stability and VPN connection reliability.

Future Outlook for Hotpatch Technology

The successful deployment of KB5084597 suggests Microsoft will continue expanding hotpatch capabilities to more Windows components. This approach aligns with industry trends toward minimizing maintenance disruption while maintaining security. Future hotpatches may address vulnerabilities in additional server roles, potentially including Active Directory, DNS, or DHCP services.

Microsoft's investment in hotpatch technology reflects changing enterprise expectations around update management. As organizations increasingly operate 24/7 services, the tolerance for maintenance-related downtime continues to decrease. Hotpatching offers a path to maintain security without compromising availability.

Actionable Recommendations for Administrators

  1. Immediately inventory all systems running the RRAS role across your environment
  2. Test KB5084597 in a non-production environment that mirrors your production configuration
  3. Deploy the hotpatch to production systems following change management procedures
  4. Monitor RRAS performance and network stability for at least 72 hours post-deployment
  5. Review and update incident response plans to address potential RRAS-related security incidents
  6. Consider implementing additional network segmentation for RRAS servers as defense-in-depth measure

Organizations without immediate plans to deploy the hotpatch should implement Microsoft's recommended workarounds, which may include disabling specific RRAS components or implementing network-level protections. However, these measures should be considered temporary until the security update can be applied.

The release of KB5084597 demonstrates that Microsoft is listening to enterprise concerns about update-related disruption while maintaining focus on security. As attackers increasingly target network infrastructure components, rapid deployment of such critical fixes becomes essential for maintaining organizational security posture without sacrificing operational continuity.