theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-21525

CISA KEV

Published February 10, 2026 · Updated April 3, 2026

high

What This Means

**CVE-2026-21525: Windows Remote Access Connection Manager NULL Pointer Dereference** The Remote Access Connection Manager service in Microsoft Windows contains a NULL pointer dereference flaw that allows a local attacker to crash the service and deny access to remote connections. An attacker with local system access can trigger this condition without authentication, disrupting VPN and dial-up connectivity for affected systems. **Actions for your SOC:** - Patch Windows systems immediately once Microsoft releases a security update for this CVE - Monitor for unexpected crashes or restarts of the Remote Access Connection Manager service (rasman.exe) as a detection indicator - Restrict local administrative access and enforce privilege boundaries to limit who can interact with the Remote Access Connection Manager API - If patching is delayed, consider disabling remote access services on systems that don't require them

Official Description+

Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally.

Affected Products

VendorProduct
MicrosoftWindows

Patch Status

Patch by 2026-03-03

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2026-21525.

Related Coverage

Vvulnerability

CVE-2026-21525: Windows Remote Access Connection Manager NULL Pointer Dereference Enables Local DoS

CVE-2026-21525 is a NULL pointer dereference in the Windows Remote Access Connection Manager (rasman.exe) that allows a local, unauthenticated attacker to crash the service and disrupt VPN and dial-up connectivity. No privileges are required beyond local system access, making the flaw relevant wherever an attacker has an existing foothold. CISA mandates federal agencies patch by 2026-03-03; organizations should apply Microsoft's security update immediately and restrict local access as an interim control.

CISA KEV·52d ago·3 min read