OOB Alert: Critical RRAS RCE Flaw (CVE-2024-26169) in Windows 11 Hotpatch
Saw this drop on BleepingComputer earlier. Microsoft pushed an out-of-band update specifically for Windows 11 23H2 Enterprise setups using the new Hotpatch feature.
The flaw is tracked as CVE-2024-26169, a critical Remote Code Execution (RCE) vulnerability in the Routing and Remote Access Service (RRAS).
If you are running VPN gateways or DirectAccess on Windows 11 (admittedly rare for a server role, but happens in edge cases/SMB), check your configs immediately. What makes this interesting is that it is a hotpatch-specific fix. This implies the standard cumulative update path might have left a window of exposure, or rather, this patch is required before the next cycle if you are relying on that feature.
To verify if the specific OOB update (KB5035858 in this context, though verify against your specific release notes) is installed, I'm using this snippet:
Get-HotFix | Where-Object {$_.HotFixID -eq "KB5035858"} | Select-Object HotFixID, InstalledOn, Description
You can also check if your system is actually configured for hotpatching (requires specific SKU and setup):
Get-ComputerInfo | Select-Object OsName, WindowsVersion, OsHardwareAbstractionLayer
RRAS isn't enabled by default on standard endpoints, so the exposure for general workstations is likely low, but this is a big deal for anyone testing Windows 11 as a soft router or edge appliance.
Is anyone actually trusting the Hotpatch feature in production yet, or are you all sticking to traditional reboots for critical infrastructure?
We're staying away from Hotpatching in production for exactly this reason. The complexity of managing two different patching pipelines (cumulative vs. hotpatch) adds too much cognitive load for the patch team. If RRAS is running, it's usually on a Server OS anyway, but I've seen some weird 'branch office' setups where they Win11 as a router. Definitely worth checking for.
For detection, if you aren't patching immediately, you should set up a honeytoken or strict alerting on the Routing and Remote Access service. Since it's an RCE, you're looking for unusual service starts or child processes spawning from svchost.exe with the RRAS PID.
You can use this PowerShell snippet to monitor for unexpected starts:
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Service Control Manager'; ID=7036} | Where-Object {$_.Message -like '*RemoteAccess*'} | Select-Object TimeCreated, Message
Good catch on the SKU requirement. Hotpatch is only available on specific Enterprise editions (Windows 11 Enterprise, multi-session, etc.). Most orgs I audit have the license but haven't flipped the switch on the update policy. Still, CVE-2024-26169 has a CVSS of 8.8, so if you are in the beta/early adopter group for this tech, treat it as P0.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access