A zero-day vulnerability in Windows Remote Access Connection Manager Tracked as CVE-2026-21525, Microsoft has fixed a zero-day vulnerability in the Windows Remote Access Connection Manager (RasMan) service that enabled attackers to cause denial-of-service (DoS) attacks on systems that were not patched This article explores vulnerability windows remote. . Prior to disclosure, the vulnerability, which resulted from a NULL pointer dereference (CWE-476), was actively exploited in the wild, receiving a "Exploitation Detected" rating from Microsoft's MSRC exploitability index.

When processing malformed data, RasMan, a crucial Windows component that manages remote access connections like dial-up and VPNs, crashes because of incorrect NULL pointer validation. To send crafted input, an unauthorized local attacker needs only local access—no elevated privileges or user interaction—which causes the service to dereference a NULL pointer and stop.

This has an effect on high availability since the service occasionally fails to restart on its own, interfering with users' and servers' remote connectivity. By starting a vulnerable code path in rascustom, attackers take advantage of RasMan.dll or associated modules while negotiating the connection. A simple local script or binary can flood the service with invalid packets, dereferencing uninitialized pointers.

Although 0patch researchers verified real-world exploitation, proof-of-concept code has not yet been publicly proven (E:U). The problem is fixed in the February 2026 Patch Tuesday (published on February 10) in the following areas: Windows Server 2012 R2 (Core/Full): KB5075970, build 6.3.9600.23022 Windows 11 26H1 (x64/ARM64): KB5077179, build 10.0.28000.1575 KB5075971, build 6.2.9200.25923, Windows Server 2012 (Core) Microsoft requires instant patching, which can be done through the Microsoft Update Catalog or Windows Update. Check support lifecycles for older OSes.

The vulnerability was found and reported through coordinated disclosure by the 0patch vulnerability research team and 0patch by ACROS Security (0patch.com). In its acknowledgements, Microsoft gives them credit. RasMan-exposed endpoints should be given priority by organizations, which should also turn on automatic updates and keep an eye out for odd service crashes.

Exposure is increased by local-only insider threats or early footholds (such as through phishing). Other than turning off RasMan, which prevents remote access, there are no other solutions. X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.