Microsoft Patches Windows Flaw Causing VPN Disruptions

Microsoft has patched a vulnerability in the Windows Remote Access Connection Manager (RasMan) service that was being exploited to trigger denial-of-service (DoS) conditions on unpatched systems.

If exploited, the flaw can cause the remote access service to crash, potentially interrupting VPN connectivity and affecting remote access for users and administrators.

The vulnerability “… allows an unauthorized attacker to deny service locally,” Microsoft said in its advisory.

How the RasMan vulnerability works

RasMan is a core Windows service that manages remote access connections, including VPN and legacy dial-up services. It plays a central role in enabling secure connectivity for remote employees, administrators, and systems that rely on tunneled network access.

Because many organizations depend on VPN infrastructure to support hybrid work and distributed IT operations, disruptions to RasMan can have immediate operational consequences.

CVE-2026-21525 stems from a NULL pointer dereference vulnerability within the RasMan service.

The issue is caused by improper input validation during the connection negotiation process, specifically involving rascustom.dll or related modules. When RasMan processes specially crafted or malformed data, it may attempt to dereference an uninitialized (NULL) pointer, causing the service to crash.

Exploitation does not require elevated privileges or user interaction.

An attacker with basic local access to a vulnerable system can send crafted input or malformed packets to repeatedly trigger the vulnerable code path, which results in a DoS condition. In some cases, the RasMan service does not automatically restart after a crash, which can prolong connectivity outages until manual intervention.

Microsoft has confirmed the vulnerability is being actively exploited in the wild.

Reducing exposure to RasMan service crashes

Organizations should address this vulnerability using a layered approach that goes beyond patch deployment to include monitoring and system hardening.

• Patch affected systems and verify patch coverage through vulnerability scanning and build validation.
• Enable automatic updates and confirm operating systems remain within Microsoft’s support lifecycle to ensure continued access to security fixes.
• Monitor for repeated RasMan service crashes, unexpected restarts, and abnormal VPN negotiation activity, and configure service recovery options to automatically restart and alert on failures.
• Review EDR and Windows event logs for suspicious local activity, including processes interacting with RasMan components such as rasman.exe or rascustom.dll.
• Reduce local attack surface by enforcing least privilege, limiting interactive logon rights, removing unnecessary local admin accounts, and restricting RasMan to systems that require remote access.
• Implement application control policies, such as AppLocker or Microsoft Defender Application Control, to prevent unauthorized scripts or binaries from executing.
• Test incident response plans to ensure teams can quickly detect, contain, and recover from availability-focused attacks.

Collectively, these measures help reduce overall exposure and limit the potential blast radius if the vulnerability is exploited. Although not an RCE or privilege escalation flaw, CVE-2026-21525 underscores how availability vulnerabilities in core infrastructure components can create operational risk when actively exploited.

For enterprises that depend on VPN-based access, sustained disruption to RasMan can affect administrative workflows, remote productivity, and service reliability.

Editor’s note: This article originally appeared on our sister website, eSecurityPlanet.