Microsoft Patches Windows Flaw Causing VPN Disruptions

Microsoft Patches Windows Flaw Causing VPN Disruptions

Microsoft Patches Windows Flaw Causing VPN Disruptions

Image: AndersonPiza/Envato

Microsoft patches CVE-2026-21525, an actively exploited RasMan flaw that can crash Windows VPN services and disrupt remote access.

Written By
Ken Underhill
Ken Underhill
Feb 11, 2026

Microsoft has patched a vulnerability in the Windows Remote Access Connection Manager (RasMan) service that was being exploited to trigger denial-of-service (DoS) conditions on unpatched systems.

If exploited, the flaw can cause the remote access service to crash, potentially interrupting VPN connectivity and affecting remote access for users and administrators.

The vulnerability “… allows an unauthorized attacker to deny service locally,” Microsoft said in its advisory.

How the RasMan vulnerability works

RasMan is a core Windows service that manages remote access connections, including VPN and legacy dial-up services. It plays a central role in enabling secure connectivity for remote employees, administrators, and systems that rely on tunneled network access.

Because many organizations depend on VPN infrastructure to support hybrid work and distributed IT operations, disruptions to RasMan can have immediate operational consequences.

CVE-2026-21525 stems from a NULL pointer dereference vulnerability within the RasMan service.

The issue is caused by improper input validation during the connection negotiation process, specifically involving rascustom.dll or related modules. When RasMan processes specially crafted or malformed data, it may attempt to dereference an uninitialized (NULL) pointer, causing the service to crash.

Exploitation does not require elevated privileges or user interaction.

An attacker with basic local access to a vulnerable system can send crafted input or malformed packets to repeatedly trigger the vulnerable code path, which results in a DoS condition. In some cases, the RasMan service does not automatically restart after a crash, which can prolong connectivity outages until manual intervention.

Microsoft has confirmed the vulnerability is being actively exploited in the wild.

Reducing exposure to RasMan service crashes

Organizations should address this vulnerability using a layered approach that goes beyond patch deployment to include monitoring and system hardening.

  • Patch affected systems and verify patch coverage through vulnerability scanning and build validation.
  • Enable automatic updates and confirm operating systems remain within Microsoft’s support lifecycle to ensure continued access to security fixes.
  • Monitor for repeated RasMan service crashes, unexpected restarts, and abnormal VPN negotiation activity, and configure service recovery options to automatically restart and alert on failures.
  • Review EDR and Windows event logs for suspicious local activity, including processes interacting with RasMan components such as rasman.exe or rascustom.dll.
  • Reduce local attack surface by enforcing least privilege, limiting interactive logon rights, removing unnecessary local admin accounts, and restricting RasMan to systems that require remote access.
  • Implement application control policies, such as AppLocker or Microsoft Defender Application Control, to prevent unauthorized scripts or binaries from executing.
  • Test incident response plans to ensure teams can quickly detect, contain, and recover from availability-focused attacks.

Collectively, these measures help reduce overall exposure and limit the potential blast radius if the vulnerability is exploited. Although not an RCE or privilege escalation flaw, CVE-2026-21525 underscores how availability vulnerabilities in core infrastructure components can create operational risk when actively exploited.

For enterprises that depend on VPN-based access, sustained disruption to RasMan can affect administrative workflows, remote productivity, and service reliability.

Editor’s note: This article originally appeared on our sister website, eSecurityPlanet.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.