Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Windows Remote Access Connection Manager NULL Pointer Dereference DoS

IdentifiersCVE-2026-21525CWE-476· NULL Pointer Dereference

CVE-2026-21525 is a denial-of-service vulnerability in Microsoft Windows Remote Access Connection Manager (RasMan). The issue is described as a NULL pointer dereference in the RasMan service that can be triggered locally by an unauthorized attacker. Supporting content indicates the vulnerable code path occurs during remote access/VPN connection negotiation and may involve rascustom.dll or related RasMan modules processing malformed or specially crafted input, leading the service to dereference a NULL pointer and crash. Microsoft and multiple secondary sources describe the flaw as actively exploited in the wild at the time of patch release. Affected platforms include multiple supported Windows client and server versions.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes a local denial of service by crashing Windows Remote Access Connection Manager. Because RasMan manages remote access connectivity, exploitation can interrupt VPN and other remote access sessions, degrade administrative workflows, and reduce service reliability on VPN-dependent systems. Repeated triggering can sustain the outage, and some reporting indicates the service may not automatically restart after a crash, extending downtime until manual recovery. There is no evidence in the provided content that this vulnerability provides code execution or privilege escalation.

Mitigation

If you can’t patch tonight, do this now.

If patching cannot be completed immediately, reduce exposure by limiting local access to vulnerable systems, enforcing least privilege, restricting interactive logon rights, removing unnecessary local administrator accounts, and disabling or limiting RasMan on systems that do not require remote access functionality. Monitor for repeated RasMan crashes, unexpected service restarts, abnormal VPN negotiation activity, and suspicious activity involving rasman.exe or rascustom.dll in EDR and Windows event logs. Configure service recovery options to automatically restart RasMan on failure, and use application control such as AppLocker or Microsoft Defender Application Control to block unauthorized scripts or binaries that could be used to trigger the flaw locally.

Remediation

Patch, then assume compromise.

Apply Microsoft's February 2026 security updates for all affected Windows client and server versions. The provided content maps CVE-2026-21525 to cumulative updates across supported Windows releases, including Windows Server 2012/2012 R2/2016/2019/2022/2025 and multiple Windows 10 and Windows 11 versions. Organizations should verify patch deployment through Windows Update, update history, vulnerability scanning, and build validation, and keep systems within Microsoft's support lifecycle.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows 11 26h1operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

53 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

53 SOURCESView more in app
flareio blogNews
Mar 13, 2026
Cybercrime Intelligence After February 2026 Patch Tuesday - Flare

A locally exploitable denial of service vulnerability in Windows Remote Access Connection Manager that can disrupt VPN connectivity relying on that component.

Read more
nsfocus globalNews
Mar 4, 2026
Microsoft’s February Security Update of High-Risk Vulnerability Notice for Multiple Products - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

A denial-of-service vulnerability in Windows Remote Access Connection Manager caused by a null pointer dereference, allowing an unauthenticated attacker to trigger a local DoS condition.

Read more
the hacker newsNews
Feb 16, 2026
Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet & AI Malware

Unknown (listed as a trending Microsoft Windows CVE without details in the provided content).

Read more
techrepublic com securityNews
Feb 12, 2026
Microsoft’s February Patch Tuesday Fixes 6 Zero-Days Under Attack

A denial-of-service vulnerability in Windows Remote Access Connection Manager (RasMan) that can knock critical Windows networking services offline via a simple local trigger.

Read more
+21 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity22

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-21525
NVD
nvd.nist.gov/vuln/detail/CVE-2026-21525
MITRE CWE · CWE-476
NULL Pointer Dereference
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525
Mitigation
vicarius.io/vsociety/posts/cve-2026-21525-mitigation-script-dos-vulnerability-in-windows-remote-access-connection-manager
Third Party Advisory
vicarius.io/vsociety/posts/cve-2026-21525-detection-script-dos-vulnerability-in-windows-remote-access-connection-manager
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21525