Critical Windows 11 RRAS Flaw: How to Apply the OOB Hotpatch and Secure Your Network

Microsoft has released an urgent out-of-band (OOB) update to address a critical security vulnerability (CVE-2024-38112) affecting Windows 11 Enterprise devices. This flaw specifically impacts the Routing and Remote Access Service (RRAS), a component often used in enterprise environments for VPN and dial-up networking.

For managed security service providers and internal IT teams, this update is significant because it targets systems utilizing the "Hotpatch" update model—a deployment method designed to reduce reboot requirements. If left unpatched, this Remote Code Execution (RCE) vulnerability could allow attackers to completely compromise a host, providing a gateway for lateral movement within the network.

Technical Analysis

The vulnerability resides in the Routing and Remote Access Service (RRAS). RRAS is a high-value target for attackers because it frequently operates with elevated privileges and is exposed to network traffic, making it an ideal entry point for initial access or persistence.

• Vulnerability: Remote Code Execution (RCE)
• Affected Component: Routing and Remote Access Service (RRAS)
• Severity: Critical
• Affected OS: Windows 11 Enterprise (specifically versions 23H2 utilizing the Hotpatch update model)
• CVE ID: CVE-2024-38112 (CVSS Score 8.8)
• Update ID: KB5042137

Unlike standard cumulative updates released on "Patch Tuesday," this is an out-of-band update. It was necessitated because the previous hotpatch (KB5041587) failed to adequately address the security flaw, leaving systems that rely on this patching methodology exposed.

Defensive Monitoring

Security Operations Center (SOC) teams must immediately identify assets running Windows 11 23H2 that have Hotpatching enabled. You must verify if the OOB update (KB5042137) has been successfully applied.

1. PowerShell: Check for Installation of KB5042137

Run the following script on local machines or via your endpoint management solution to verify patch status:

powershell

Check if the OOB Hotpatch KB5042137 is installed

$PatchID = "KB5042137" $Installed = Get-HotFix -Id $PatchID -ErrorAction SilentlyContinue

if ($Installed) { Write-Host "[SECURE] $PatchID is installed. Installed On: $($Installed.InstalledOn)" -ForegroundColor Green } else { Write-Host "[VULNERABLE] $PatchID is NOT installed." -ForegroundColor Red

# Additional check: Verify if RRAS service is actually present/running
$RRASService = Get-Service -Name RemoteAccess -ErrorAction SilentlyContinue
if ($RRASService) {
    Write-Host "[WARNING] RRAS Service is detected on this machine." -ForegroundColor Yellow
}

}

2. KQL for Microsoft Sentinel/Defender

Use the following KQL query in Microsoft Sentinel or Microsoft Defender to hunt for vulnerable devices across your estate:

kql let PatchKB = "KB5042137"; DeviceTvmSoftwareInventoryVulnerabilities | where RecommenderSecurityUpdateId contains PatchKB or CveId == "CVE-2024-38112" | project DeviceName, OSVersion, CveId, RecommendedSecurityUpdateId, IsInstalled, VulnerabilitySeverityLevel | distinct DeviceName, OSVersion, IsInstalled | order by DeviceName asc

Remediation

Organizations must prioritize the deployment of the OOB update KB5042137 to all affected Windows 11 Enterprise devices.

Step 1: Deploy the Update

If you use Windows Update for Business or WSUS, ensure you have approved the "Update for Windows 11 Version 23H2 for x64-based Systems (KB5042137)".

For manual installation or immediate remediation of isolated assets, download the update from the Microsoft Update Catalog and install it via the command line:

powershell

Install the MSU package silently (replace path with actual location)

wusa.exe "C:\Path\To\windows11.0-kb5042137-x64.msu" /quiet /norestart

Step 2: Reduce Attack Surface

RRAS is not installed by default on standard Windows 11 workstations; it is primarily a server role or specific enterprise feature. If your organization does not actively use RRAS for VPN or routing services, the most effective defense is to disable and remove the service.

Disable RRAS Service:

powershell

Stop and disable the Remote Access Service if not required

Set-Service -Name RemoteAccess -StartupType Disabled Stop-Service -Name RemoteAccess -Force

Step 3: Post-Patch Verification

After installation, a reboot may be required for the hotpatch to fully integrate, even though hotpatching aims to minimize this. Verify the system status using the PowerShell monitoring script provided above to confirm the IsInstalled flag is set to True.

Staying ahead of critical vulnerabilities like the RRAS flaw requires constant vigilance. At Security Arsenal, we help Dallas businesses and enterprises nationwide manage their patch management lifecycle and respond to emerging threats.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment Vulnerability Management Intel Hub