CVE-2026-21525

What is Windows Remote Access Connection Manager?

Windows Remote Access Connection Manager (RasMan) is the Windows service responsible for managing dial-up and VPN connections. It runs as a system service (svchost.exe -k netsvcs) and provides the infrastructure for establishing, maintaining, and terminating VPN tunnels, including WireGuard, IKEv2, L2TP/IPsec, and legacy PPTP connections. Any application or user initiating a VPN connection on Windows uses RasMan. Crashing RasMan terminates all active VPN connections and remote access sessions on the affected system, disrupting secure remote work and network segmentation that depends on VPN connectivity.

Overview

CVE-2026-21525 is a NULL pointer dereference vulnerability (CWE-476) in the Windows Remote Access Connection Manager (RasMan) service. When RasMan processes specially crafted or malformed connection data, it dereferences a NULL pointer, crashing the service and terminating all active VPN and remote access connections. The attack requires local access but no authentication and no user interaction. Exploited as a zero-day, the vulnerability was included in Microsoft's February 2026 Patch Tuesday. Despite the "MEDIUM" CVSS score, CISA's KEV listing confirms real-world exploitation — likely as a disruptive step in broader attack campaigns.

Affected Versions

Technical Details

The vulnerability (CWE-476: NULL Pointer Dereference) is in RasMan's connection processing logic, specifically within rascustom.dll or related modules. When processing malformed or specially crafted connection parameters, RasMan attempts to dereference a pointer that has not been properly initialized, resulting in a NULL pointer dereference. This causes the RasMan service to crash, which Windows may or may not automatically restart depending on the service recovery configuration.

The crash terminates all active VPN tunnels managed by the service. In environments where remote workers or branch offices depend on VPN for network access, this can instantly sever connectivity. In security-segmented architectures where VPN is used to enforce network isolation, disrupting RasMan can break intended security boundaries. The 0patch vulnerability research team identified the issue and it was credited in Tenable's February 2026 Patch Tuesday analysis.

Discovery

Credited to the 0patch vulnerability research team.

Exploitation Context

Confirmed zero-day exploitation in the wild, per the CISA KEV listing. Despite the "Denial of Service" classification and medium CVSS score, in-the-wild exploitation indicates active use in attack campaigns — likely as a disruptive or preparatory step. Crashing RasMan can sever VPN-based monitoring and EDR data feeds, create a brief window of reduced visibility, or disrupt incident response capabilities that depend on VPN-connected remote access. CISA added it to KEV with a federal remediation deadline of 3 March 2026. No specific threat actor has been publicly attributed.

Remediation

1. Apply the February 2026 Patch Tuesday cumulative update to all affected Windows systems.
2. Configure RasMan service recovery to automatically restart after a crash: Services → Remote Access Connection Manager → Recovery → set "First failure" and "Second failure" to "Restart the Service."
3. Monitor RasMan for unexpected service crashes — a sudden RasMan crash, especially outside maintenance windows, may indicate exploitation.
4. Restrict local access to systems running RasMan where possible — limit which users can execute local code on VPN concentrators and jump servers.
5. Implement redundant VPN infrastructure so a single RasMan crash does not sever all remote access connectivity.
6. Review logs after any unexpected VPN disconnections for evidence of preceding suspicious local activity.