Microsoft has issued an out-of-band security update to address several critical vulnerabilities in Windows 11 that could allow attackers to execute malicious code through the system’s remote access management tools.
The patch targets flaws in the Windows Routing and Remote Access Service (RRAS) and is being delivered as a hotpatch, allowing systems to receive the fix without requiring a restart.
If a user connects to a malicious remote server, “… an attacker could disrupt the tool or run code on your device,” Microsoft warns in its advisory.
2
ESET PROTECT Advanced
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Any Company Size
Any Company Size
Features
Activity Monitoring, Antivirus, Blacklisting, and more
3
ManageEngine Desktop Central
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Any Company Size
Any Company Size
Features
Activity Monitoring, Antivirus, Dashboard, and more
Inside the Windows RRAS vulnerabilities
The update addresses three vulnerabilities in the Windows RRAS management tool.
RRAS plays a critical role in many enterprise networks by enabling administrators to manage remote access services, including VPN connectivity, routing functions, and remote administration.
The flaws are tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, each of which could allow an attacker to execute arbitrary code or disrupt system operations under certain conditions.
CVE-2026-25172
CVE-2026-25172 is a remote code execution vulnerability in the RRAS management tool that can be triggered when a user or administrator connects to a malicious server through the RRAS interface.
A specially crafted response from the attacker-controlled server could allow the attacker to disrupt service operations or execute arbitrary code on the victim’s system, potentially giving the attacker control over the affected device.
CVE-2026-25173
CVE-2026-25173 is a related vulnerability affecting the same RRAS management component.
Similar to CVE-2026-25172, exploitation occurs when a user or administrator connects to an attacker-controlled server. Once the connection is established, the attacker may be able to execute code on the victim system or trigger a denial-of-service condition that disrupts RRAS functionality.
CVE-2026-26111
CVE-2026-26111 is an additional vulnerability in the RRAS management tool that further increases the risk of remote code execution during interactions with malicious servers.
While the exploitation scenario is similar, this flaw compounds the overall threat by providing another pathway for attackers to execute malicious code or destabilize the service during remote management operations.
All three vulnerabilities share a similar attack scenario centered on how the RRAS management tool interacts with remote servers.
In a potential exploitation scenario, an attacker could configure a malicious or rogue server designed to interact with the RRAS interface. If a system administrator or user attempts to connect to that server through the management tool, the malicious server could exploit the vulnerability during the connection process.
Although exploitation requires user interaction, the vulnerabilities are particularly dangerous because RRAS operates with elevated privileges. This potentially allows attackers to deploy malware, alter network configurations, or gain a foothold for lateral movement.
Microsoft did not report any active exploitation of these vulnerabilities in their advisory.
How organizations can reduce RRAS risk
Because RRAS services often operate with elevated privileges and play a central role in enterprise connectivity, a successful compromise could have significant operational and security impacts.
Organizations should implement layered defenses that limit exposure, restrict administrative access, and improve visibility.
- Apply the latest patch to affected Windows 11 systems and test it in a staging environment before deploying it to production.
- Restrict RRAS management access to authorized administrators only using role-based access control (RBAC), privileged access management, or just-in-time (JIT) access to reduce the number of users who can initiate remote connections.
- Disable the RRAS role or management tools on systems where they are not required to reduce the overall attack surface and limit opportunities for exploitation.
- Restrict connections to trusted remote servers and implement outbound network filtering or firewall rules to prevent administrative systems from connecting to unknown or attacker-controlled hosts.
- Segment remote access infrastructure and administrative workstations onto dedicated management networks to limit lateral movement if a system is compromised.
- Deploy EDR and centralized logging to monitor for suspicious RRAS activity, unusual outbound connections, or unexpected process execution tied to remote access tools.
- Regularly test incident response plans and use attack simulation tools with scenarios around the exploitation of remote management tools.
Collectively, these measures can help organizations reduce exposure to RRAS-related threats while strengthening overall resilience against attempts to exploit remote management infrastructure.
This article originally appeared on our sister website, eSecurityPlanet.
Read the full article here
