Microsoft has patched a vulnerability in the Windows Remote Access Connection Manager (RasMan) service that was being exploited to trigger denial-of-service (DoS) conditions on unpatched systems.If exploited, the flaw can cause the remote access service to crash, potentially interrupting VPN connectivity and affecting remote access for users and administrators.The vulnerability “… allows an unauthorized attacker to deny service locally,” Microsoft said in its advisory.
Featured Partners Advertisement TechRepublic is able to offer our services for free because some vendors may pay us for web traffic or other sales opportunities.Our mission is to help technology buyers make better purchasing decisions, so we provide you with information for all vendors — even those that don’t pay us.1 ManageEngine Log360 Visit Website Company Size Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Micro (0-49 Employees), Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees) Micro, Small, Medium, Large, Enterprise Features Activity Monitoring, Blacklisting, Dashboard, and more How the RasMan vulnerability works RasMan is a core Windows service that manages remote access connections, including VPN and legacy dial-up services.
It plays a central role in enabling secure connectivity for remote employees, administrators, and systems that rely on tunneled network access.Because many organizations depend on VPN infrastructure to support hybrid work and distributed IT operations, disruptions to RasMan can have immediate operational consequences.CVE-2026-21525 stems from a NULL pointer dereference vulnerability within the RasMan service.
The issue is caused by improper input validation during the connection negotiation process, specifically involving rascustom.dll or related modules.When RasMan processes specially crafted or malformed data, it may attempt to dereference an uninitialized (NULL) pointer, causing the service to crash.Exploitation does not require elevated privileges or user interaction.
An attacker with basic local access to a vulnerable system can send crafted input or malformed packets to repeatedly trigger the vulnerable code path, which results in a DoS condition.In some cases, the RasMan service does not automatically restart after a crash, which can prolong connectivity outages until manual intervention.Microsoft has confirmed the vulnerability is being actively exploited in the wild.
Reducing exposure to RasMan service crashes Organizations should address this vulnerability using a layered approach that goes beyond patch deployment to include monitoring and system hardening.Patch affected systems and verify patch coverage through vulnerability scanning and build validation.Enable automatic updates and confirm operating systems remain within Microsoft’s support lifecycle to ensure continued access to security fixes.
Monitor for repeated RasMan service crashes, unexpected restarts, and abnormal VPN negotiation activity, and configure service recovery options to automatically restart and alert on failures.Review EDR and Windows event logs for suspicious local activity, including processes interacting with RasMan components such as rasman.exe or rascustom.dll.Reduce local attack surface by enforcing least privilege, limiting interactive logon rights, removing unnecessary local admin accounts, and restricting RasMan to systems that require remote access.
Implement application control policies, such as AppLocker or Microsoft Defender Application Control, to prevent unauthorized scripts or binaries from executing.Test incident response plans to ensure teams can quickly detect, contain, and recover from availability-focused attacks.Collectively, these measures help reduce overall exposure and limit the potential blast radius if the vulnerability is exploited.
Although not an RCE or privilege escalation flaw, CVE-2026-21525 underscores how availability vulnerabilities in core infrastructure components can create operational risk when actively exploited.For enterprises that depend on VPN-based access, sustained disruption to RasMan can affect administrative workflows, remote productivity, and service reliability.Editor’s note: This article originally appeared on our sister website, eSecurityPlanet.
Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday
Read More
