Microsoft Patches Actively Exploited Zero-Day in Windows RasMan Service
Microsoft has addressed a critical zero-day vulnerability (CVE-2026-21525) in the Windows Remote Access Connection Manager (RasMan) service, which was actively exploited in the wild prior to disclosure. The flaw, classified as a NULL pointer dereference (CWE-476), could allow attackers to trigger denial-of-service (DoS) conditions on unpatched systems.
RasMan, a core Windows component managing remote access connections such as VPNs and dial-up, crashes when processing malformed data due to improper NULL pointer validation. Exploitation requires only local access no elevated privileges or user interaction making it a low-complexity attack. A crafted input can force the service to dereference a NULL pointer, halting operations and disrupting remote connectivity. In some cases, the service fails to restart automatically, amplifying availability risks.
The vulnerability was discovered and reported by the 0patch research team in collaboration with ACROS Security, with Microsoft crediting them in its acknowledgments. While proof-of-concept code has not been publicly released, real-world exploitation was confirmed, prompting Microsoft to assign an "Exploitation Detected" rating in its MSRC exploitability index.
The February 2026 Patch Tuesday (released February 10) includes fixes for affected systems, including:
- Windows 11 26H1 (x64/ARM64): KB5077179, build 10.0.28000.1575
- Windows Server 2012 R2 (Core/Full): KB5075970, build 6.3.9600.23022
- Windows Server 2012 (Core): KB5075971, build 6.2.9200.25923
Patches are available via Windows Update or the Microsoft Update Catalog. Microsoft has emphasized immediate deployment, though organizations using older operating systems should verify support lifecycles. No workarounds exist beyond disabling RasMan, which would break remote access functionality.
The flaw highlights risks from insider threats or initial compromise vectors like phishing, as local access is sufficient for exploitation. Enterprises are advised to prioritize patching RasMan-exposed endpoints and monitor for unusual service crashes.
Source: https://cybersecuritynews.com/windows-rrasman-0-day-vulnerability/
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/Microsoft
"id": "MIC1770803749",
"linkid": "Microsoft",
"type": "Vulnerability",
"date": "2/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Users of Windows 11 26H1, '
'Windows Server 2012 R2, Windows '
'Server 2012',
'industry': 'Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Local Access',
'date_publicly_disclosed': '2026-02-10',
'date_resolved': '2026-02-10',
'description': 'Microsoft has addressed a critical zero-day vulnerability '
'(CVE-2026-21525) in the Windows Remote Access Connection '
'Manager (RasMan) service, which was actively exploited in the '
'wild prior to disclosure. The flaw, classified as a NULL '
'pointer dereference (CWE-476), could allow attackers to '
'trigger denial-of-service (DoS) conditions on unpatched '
'systems. RasMan, a core Windows component managing remote '
'access connections such as VPNs and dial-up, crashes when '
'processing malformed data due to improper NULL pointer '
'validation. Exploitation requires only local access with no '
'elevated privileges or user interaction, making it a '
'low-complexity attack.',
'impact': {'downtime': 'Remote connectivity disruption; service may fail to '
'restart automatically',
'operational_impact': 'Denial-of-service (DoS) conditions, '
'disruption of remote access (VPN/dial-up)',
'systems_affected': 'Windows 11 26H1, Windows Server 2012 R2, '
'Windows Server 2012'},
'investigation_status': 'Resolved',
'lessons_learned': 'Highlights risks from insider threats or initial '
'compromise vectors like phishing, as local access is '
'sufficient for exploitation.',
'post_incident_analysis': {'corrective_actions': 'Patch deployment, enhanced '
'monitoring for service '
'crashes',
'root_causes': 'Improper NULL pointer validation '
'in Windows RasMan service'},
'recommendations': 'Prioritize patching RasMan-exposed endpoints, monitor for '
'unusual service crashes, and verify support lifecycles '
'for older operating systems.',
'references': [{'source': 'Microsoft Security Response Center (MSRC)'},
{'source': '0patch research team'}],
'response': {'communication_strategy': 'Public disclosure via Patch Tuesday '
'advisory',
'containment_measures': 'Patch deployment via Windows Update or '
'Microsoft Update Catalog',
'enhanced_monitoring': 'Monitoring for unusual RasMan service '
'crashes',
'remediation_measures': 'KB5077179 (Windows 11), KB5075970 '
'(Windows Server 2012 R2), KB5075971 '
'(Windows Server 2012)',
'third_party_assistance': '0patch research team, ACROS Security'},
'stakeholder_advisories': 'Enterprises advised to prioritize patching '
'RasMan-exposed endpoints.',
'title': 'Microsoft Patches Actively Exploited Zero-Day in Windows RasMan '
'Service',
'type': 'Zero-Day Vulnerability',
'vulnerability_exploited': 'CVE-2026-21525 (NULL pointer dereference, '
'CWE-476)'}