🟢 CVE-2026-21525

CVE-2026-21525 is a null pointer dereference vulnerability in Windows Remote Access Connection Manager that allows local denial of service attacks. Despite being in CISA KEV, the CVSS attack vector is LOCAL, making it unsuitable for direct internet exploitation.

← Back to Overview
LOW_RISK
Risk Level
6.2
CVSS Score
LOCAL
Attack Vector
Impact
ATT&CK Tactic
T1499 — Endpoint Denial of Service
ATT&CK Technique
LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2026-02-10

Added to CISA KEV: 2026-02-10 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2026-21525 is a vulnerability affecting the Windows Remote Access Connection Manager (`rasman`), a service responsible for managing VPN connections and dial-up networking [3].

Here is the current information regarding this vulnerability:

Exploitation and Threat Activity
  • Active Exploitation: The vulnerability has been reported as being actively exploited in the wild [1] [5].
  • Threat Actor Usage: There is currently no public information identifying specific threat actors or ransomware groups utilizing this vulnerability in their campaigns.
  • Targeted Attacks: While it is being exploited in the wild, there is no specific evidence confirming it is being used in targeted attacks versus opportunistic ones.
Attack Method and Impact
  • Vulnerability Type: It is a null pointer dereference vulnerability [2].
  • Exploitation Requirements: The attack is performed locally [2]. It does not appear to require network-based remote access for the initial exploit trigger.
  • Impact: Successful exploitation results in a Denial of Service (DoS), allowing an attacker to crash the system and disrupt remote connections [2] [1].
Exploit Availability
  • As of June 2026, there is no widely reported public proof-of-concept (PoC) or exploit tool available in common security repositories [4].
Patch and Mitigation Status
  • Patch Status: Microsoft has released a fix for this vulnerability [1]. Users are advised to apply the latest security updates provided by Microsoft to mitigate the risk.
  • Affected Versions: The vulnerability affects the Windows Remote Access Connection Manager service across the Windows ecosystem [1].

Sources

  1. Microsoft fixes Windows RasMan zero-day vulnerability CVE-2026 ...

    This flaw, tracked as CVE-2026-21525, is actively exploited in the wild, enabling attackers to crash systems and disrupt remote connections—a ... 🚨 Windows RasMan Zero‑Day (CVE‑2026‑21525) Actively Exploited Denial‑of‑Service Risk Across Windows Ecosystem Microsoft has released an urgent fix for CVE…

  2. CVE-2026-21525 Detail - NVD

    Description. Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally. Metrics. CVSS Version ...

  3. CVE Details | turingsecure

    CVE-2026-21525 is a null pointer dereference vulnerability in the Windows Remote Access Connection Manager (rasman), a system service responsible for managing VPN connections, dial-up networking, and related remote access functionality.

  4. CVE-2026-21525 - Exploits & Severity - Feedly

    CVE-2026-21525 is a critical 0-day vulnerability in the Windows Remote Access Connection Manager that is currently being actively exploited in the wild. There is no additional information provided regarding CVSS scores, proof-of-concept exploits, mitigations, detections, patches, or downstream impac…

  5. CVE-2026-21525 | Microsoft Windows Vulnerability | UpGuard

    CVE-2026-21525 is a medium-severity Windows DoS vulnerability in Remote Access Connection Manager that is actively being exploited in the wild.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed