Fixing and finding

CVE ID

CVE-2026-21525

Published 2026-02-10

Updated last month

Vendor/s

Microsoft

Product/s

Windows

Version/s

* > 10.0.14393.8868

KEV Status

Active Exploitation

Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.

CVSS Score (v3.1)

6.2

/ 10

Medium

Severity Details

Base score

6.2 Medium

Attack vector

Local

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Description

CVE-2026-21525 is a medium-severity Windows DoS vulnerability in Remote Access Connection Manager that is actively being exploited in the wild.

CPE

Microsoft

Product	Version Start	Version End (excl.)	Status
windows_10_1607	*	10.0.14393.8868	vulnerable
windows_10_1607	*	10.0.14393.8868	vulnerable
windows_10_1809	*	10.0.17763.8389	vulnerable
windows_10_1809	*	10.0.17763.8389	vulnerable
windows_10_21h2	*	10.0.19044.6937	vulnerable
windows_10_21h2	*	10.0.19044.6937	vulnerable
windows_10_21h2	*	10.0.19044.6937	vulnerable
windows_10_22h2	*	10.0.19045.6937	vulnerable
windows_10_22h2	*	10.0.19045.6937	vulnerable
windows_10_22h2	*	10.0.19045.6937	vulnerable
windows_11_23h2	*	10.0.22631.6649	vulnerable
windows_11_23h2	*	10.0.22631.6649	vulnerable
windows_11_24h2	*	10.0.26100.7781	vulnerable
windows_11_24h2	*	10.0.26100.7781	vulnerable
windows_11_25h2	*	10.0.26200.7781	vulnerable
windows_11_25h2	*	10.0.26200.7781	vulnerable
windows_server_2012	-	-	vulnerable
windows_server_2012	r2	r2	vulnerable
windows_server_2016	*	10.0.14393.8868	vulnerable
windows_server_2019	*	10.0.17763.8389	vulnerable
windows_server_2022	*	10.0.20348.4711	vulnerable
windows_server_2022_23h2	*	10.0.25398.2149	vulnerable
windows_server_2025	*	10.0.26100.32313	vulnerable

Related weakness (CWE)

CWE-476

Remediation plan

Apply official patches

Download and install the latest security updates from the Microsoft Security Update Guide specifically for CVE-2026-21525 to address the null pointer dereference in the Remote Access Connection Manager.

Update affected systems

Ensure Windows 10 (versions 1607-22H2), Windows 11 (23H2-25H2), and Windows Server (2012-2025) are updated beyond the vulnerable build numbers, such as 10.0.19045.6937 for Windows 10 22H2 or 10.0.26100.32313 for Server 2025.

Restrict access

Limit local access to sensitive systems and enforce the principle of least privilege to minimize the number of users capable of executing local code that could trigger the RasMan service crash.

Monitor for exploitation

Track Windows Event Logs for unexpected crashes of the 'RasMan' service (Remote Access Connection Manager) and associated 'svchost.exe' instances, which may indicate attempted exploitation of this vulnerability.

Detection Guidance

To detect potential exploitation of CVE-2026-21525, monitor the Windows System Event Log for Event ID 7034, indicating the 'Remote Access Connection Manager' service has terminated unexpectedly. Frequent, unexplained crashes of the RasMan service or its associated svchost.exe process are key indicators. Security teams should also leverage EDR solutions to identify suspicious local execution patterns or scripts targeting the RasMan component, as this is a local attack vector requiring code execution on the target host.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525 Vendor Advisory https://www.vicarius.io/vsociety/posts/cve-2026-21525-detection-script-dos-vulnerability-in-windows-remote-access-connection-manager Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2026-21525-mitigation-script-dos-vulnerability-in-windows-remote-access-connection-manager Mitigation Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21525 US Government Resource

Sources

NIST National Vulnerability Database (NVD)

CISA Known Exploited Vulnerabilities (KEV)