Microsoft has pushed out an unscheduled security fix for a trio of critical vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool. The hotpatch, which landed this week and does not require a system reboot, targets Windows 11 systems where the RRAS role is enabled—shutting down attack paths that could allow remote code execution or privilege escalation.

What the Emergency Fix Addresses

At the center of the patch are three critical flaws in RRAS, a Windows component that enables VPN, dial-up, and routing capabilities. Though Microsoft has not yet published detailed CVE descriptions—missing at the time of writing from the Security Update Guide—critical severity ratings typically signal that attackers could remotely execute code or gain elevated privileges without user interaction. The out-of-band nature of the release suggests that these vulnerabilities carry a high risk of exploitation in the wild.

The patch is delivered as a hotpatch, meaning it applies directly to in-memory code without forcing a system restart. For organizations that rely on RRAS for always-on VPNs or branch-office connectivity, that is a significant operational advantage: no downtime, no service interruption, and no disruption to remote workers.

Who Is Affected—and Who Isn’t

RRAS is not a default-enabled feature on most Windows 11 installations. It is typically installed on servers or on workstations configured as routing or remote access points. In practice, this means:

  • Enterprise environments: Any machine acting as a VPN or dial-up server, or running the RRAS management console, is exposed. This includes many branch-office appliances and remote access gateways.
  • Small businesses and power users: Those who have manually installed the RRAS role for remote connectivity or lab environments should patch immediately.
  • Home users and standard Windows 11 Pro/Home devices: Very unlikely to have RRAS enabled. These editions do not include the RRAS role by default, and the hotpatch itself is not offered to them—only to Enterprise and Education SKUs with appropriate licensing.

Even if you think RRAS is not in use, checking is straightforward. Open Windows Features (optionalfeatures.exe) and look for “Routing and Remote Access services” under Remote Server Administration Tools. If it’s checked, you need the patch.

How Hotpatching Works on Windows 11

Hotpatching isn’t new to the Windows world, but it is new to the desktop client. The technology debuted in Windows Server 2022 Datacenter: Azure Edition, where Microsoft wanted to minimize reboots for cloud-hosted workloads. Now it’s gradually coming to Windows 11 Enterprise, provided you have the correct licensing.

Here’s what you need to know about the mechanism:

Edition Hotpatch Available? Notes
Windows 11 Home No Must use standard cumulative updates; reboots required
Windows 11 Pro No Same as Home
Windows 11 Enterprise Yes* Requires an Enterprise E3/E5 license or equivalent; see below
Windows 11 Education Yes* Same licensing requirements as Enterprise
Windows Server 2022+ Yes* Only Datacenter: Azure Edition receives full hotpatch support

Hotpatches cover only a specific subset of security fixes each month—typically critical and important-rated items. Non-security updates and some security patches still require traditional cumulative updates and reboots.

Technically, a hotpatch works by patching the running process in memory. The update revises code sections without restarting services, leveraging the way Windows handles paging and memory mapping. This means your firewall service, VPN endpoint, or RRAS management tool can keep running uninterrupted. For administrators, the operational benefit is clear: maintenance windows shrink, and uptime goals become easier to hit.

The Urgency Behind the Out-of-Band Release

Monthly Patch Tuesday updates are the norm, so when Microsoft breaks cadence, it gets everyone’s attention. Out-of-band releases typically indicate one of two scenarios:

  1. Active exploitation: Attackers are already targeting the vulnerabilities in the wild.
  2. Imminent threat of exploitation: A proof-of-concept exists, and exploitation is expected within hours or days.

Microsoft’s advisory for this hotpatch does not explicitly confirm active attacks, but the urgency is unmistakable. Critical RRAS bugs have historically been juicy targets—think back to CVE-2020-1350 (SIGRed), a critical DNS server flaw that could be wormable. While routing and remote access services don’t face the internet as often as web servers, they are exposed in many enterprise VPN setups, making them an attractive chokepoint for attackers seeking lateral movement or credential theft.

If your network uses Windows-based VPN or routing infrastructure, assume risk is elevated until you’ve applied this fix.

What Administrators Should Do Now

  1. Verify RRAS installation. On any Windows 11 machine that might be acting as a router or VPN server, run Get-WindowsFeature -Name RemoteAccess in PowerShell as admin. If the status is “Installed,” continue.
  2. Check for the hotpatch. Open Windows Update and look for a security hotpatch labeled “Out-of-band” or with a KB article number that hasn’t been part of the regular monthly rollup. At the time of writing, Microsoft had not published the KB number; if it’s missing, use the standard cumulative update (which requires a reboot) as a fallback.
  3. Deploy via existing tools. For managed environments, approve the hotpatch in WSUS or Microsoft Endpoint Manager. Since it’s a hotpatch, you can push it during business hours without forcing reboots—just ensure users know a background update is happening.
  4. Harden RRAS configurations. This is a good moment to review your RRAS settings. Disable legacy protocols (PPTP, L2TP without IPSec), enforce multi-factor authentication for VPN connections, and limit the service’s listening interfaces to only those network adapters that need it.
  5. Monitor for abuse. If you can’t patch immediately, monitor RRAS-related event logs (Event Viewer → Applications and Services Logs → Microsoft → Windows → RemoteAccess) for unusual activity, such as repeated authentication failures or unexpected configuration changes.

For most organizations, the rapid application of this hotpatch is the primary action. Don’t wait for the next Patch Tuesday.

How We Got Here: Hotpatching’s Road to Windows 11

Microsoft’s hotpatching journey started with Windows Server in 2021, but the roots go deeper. The company had experimented with “reboot-less” updates back in the Windows 10 era using registry and image-based patching, but the results were inconsistent. The modern hotpatching engine relies on the Windows Trusted Execution Environment (TEE) and a version of the Windows kernel that can map in updated code without a full service restart.

Windows 11 quietly gained hotpatching capabilities in version 22H2 for Enterprise editions with specific subscriptions—Microsoft 365 E3/E5 or Windows Enterprise E3/E5. The feature is not advertised loudly because it’s still a premium offering that requires careful validation. Each month, Microsoft releases a baseline cumulative update; hotpatches are built on top of that baseline and only include fixes vetted for live patching.

Critics say hotpatching should be available to all Windows users, arguing that reboots are productivity killers. Microsoft’s position is that the underlying memory-protection model demands a tightly controlled ecosystem to avoid stability risks. Over time, we may see hotpatching expand to consumer SKUs, but for now, it remains a differentiator for enterprise licensing.

This RRAS hotpatch is a test case. If it deploys smoothly and prevents exploitation, expect to see more critical patches skipping the reboot queue.

What’s Next

Microsoft will likely publish CVE identifiers and details in the coming days. Security teams should watch the MSRC portal for the official advisory, which may bring additional guidance—especially if evidence of active attacks surfaces. After that, the next cumulative update will bake in these fixes permanently, so even non-hotpatch users will get them by next Patch Tuesday.

Longer term, the industry trend is clear: live patching is becoming a must-have for critical infrastructure. With Windows Server 2025 on the horizon and cloud-native expectations rising, Microsoft will continue to invest in minimizing downtime. For today, the message is simple: if you run RRAS on Windows 11, grab the hotpatch now. If you can’t get the hotpatch, install the full update and schedule that reboot—the risk of leaving these bugs unpatched is simply too high.