my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Two Vulnerabilities, Two Patches, One Message: Critical Enterprise Flaws Need Immediate Attention

John Z Black Mar 15, 2026 Vulnerabilities & Patching #patch-management #microsoft #windows-11 #hpe #aruba #enterprise-security #rce #vulnerability

Bad week for enterprise IT teams. Two critical vulnerabilities dropped targeting foundational infrastructure, and neither one can wait for next month’s patch cycle.

Microsoft just ran a 79-vulnerability Patch Tuesday. Then, days later, shipped an emergency out-of-band hotpatch for Windows 11 Enterprise. Microsoft doesn’t do OOB releases for fun. They do them when leaving something unpatched is worse than disrupting every change management process in your org.

The flaw is in RRAS, the Routing and Remote Access Service. Remote code execution. An attacker who can reach the service gets arbitrary code execution, which in enterprise environments means elevated privilege and a launchpad for lateral movement. The hotpatch only applies to Windows 11 Enterprise on the hotpatch update channel, not standard Windows Update. If you’re on that channel, verify it deployed. If you’re not, check whether your Windows Server environment is separately affected.

But the HPE one might be worse.

AOS-CX runs on Aruba Networks switches. Core enterprise network infrastructure. The vulnerability lets an unauthenticated attacker remotely reset admin passwords. No credentials needed. None. The front door doesn’t have a lock.

An attacker who reaches the management interface can take over the switch, modify routing rules, redirect traffic, create backdoor access, and pivot into adjacent network segments. Full compromise from a single unauthenticated request. HPE rated it critical and the CVSS score reflects that.

Here’s the uncomfortable reality. Enterprise orgs don’t patch network switches casually. There’s an approval process, a maintenance window, a rollback plan. That’s not pointless bureaucracy. Patching production infrastructure wrong causes outages.

But the threat doesn’t wait for the maintenance window.

If your change management process doesn’t have an emergency track for critical CVEs, this is a painful time to discover that gap. Both patches are available now. The window should be measured in days, not weeks.

Read the full post on gNerdSEC