Windows Remote Access Connection Manager 0-Day Vulnerability Let

Microsoft has patched a zero-day vulnerability, identified as CVE-2026-21525, affecting the Windows Remote Access Connection Manager (RasMan) service. This flaw enabled attackers to trigger denial-of-service (DoS) conditions on unpatched systems.

The flaw, stemming from a NULL pointer dereference (CWE-476), was actively exploited in the wild before disclosure, earning an “Exploitation Detected” rating from Microsoft’s MSRC exploitability index.

RasMan, a core Windows component handling remote access connections like VPNs and dial-up, crashes when processing malformed data due to improper NULL pointer validation.

An unauthorized local attacker requires only local access, no elevated privileges or user interaction, to send crafted input, causing the service to dereference a NULL pointer and halt.

This leads to high availability impact, with the service failing to restart automatically in some cases, disrupting remote connectivity for users and servers.

Attackers exploit RasMan by triggering a vulnerable code path in rascustom.dll or related modules during connection negotiation. A simple local script or binary can flood the service with invalid packets, dereferencing uninitialized pointers. Proof-of-concept code remains unproven publicly (E:U), but 0patch researchers confirmed real-world exploitation.

The February 2026 Patch Tuesday (released February 10) addresses the issue across:

• Windows 11 26H1 (x64/ARM64): KB5077179, build 10.0.28000.1575
• Windows Server 2012 R2 (Core/Full): KB5075970, build 6.3.9600.23022
• Windows Server 2012 (Core): KB5075971, build 6.2.9200.25923

Microsoft mandates immediate patching, available via Windows Update or the Microsoft Update Catalog. Check support lifecycles for older OSes.

The 0patch vulnerability research team, in collaboration with 0patch by ACROS Security (0patch.com), discovered and reported the flaw through coordinated disclosure. Microsoft credits them in its acknowledgements.

Organizations should prioritize RasMan-exposed endpoints, enable automatic updates, and monitor for unusual service crashes. While local-only, insider threats or initial footholds (e.g., via phishing) heighten exposure. No workarounds exist beyond disabling RasMan, which breaks remote access.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.