Cyber Posture

CVE-2026-21525

MediumCISA KEVActive Exploitation

Published: 10 February 2026

Published
10 February 2026
Modified
30 March 2026
KEV Added
10 February 2026
Patch
CVSS Score 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0939 92.8th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Description

Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely flaw remediation through patching the null pointer dereference in Windows Remote Access Connection Manager as detailed in Microsoft's update guide.

SI-5 Security Alerts, Advisories, and Directives partial match
prevent

Requires monitoring and implementing security advisories and directives from MSRC and CISA's Known Exploited Vulnerabilities catalog for this CVE.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Supports vulnerability scanning to identify and prioritize systems vulnerable to this local DoS in Remote Access Connection Manager.

Security SummaryAI

CVE-2026-21525 is a null pointer dereference vulnerability (CWE-476) in the Windows Remote Access Connection Manager service. Published on 2026-02-10, it carries a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and affects Windows systems running this component, enabling local denial of service.

An unauthorized attacker with local access to the target system can exploit the vulnerability with low attack complexity and no privileges or user interaction required. Exploitation triggers a null pointer dereference, resulting in a denial of service that causes high availability impact while leaving confidentiality and integrity unaffected.

Microsoft's update guide at msrc.microsoft.com provides patching details and advisories for remediation. Vicarius offers specific detection and mitigation scripts tailored to this DoS issue in the Remote Access Connection Manager. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog.

Details

CWE(s)
CWE-476
KEV Date Added
10 February 2026

Affected Products

microsoft
windows 10 1607
≤ 10.0.14393.8868 · ≤ 10.0.14393.8868
microsoft
windows 10 1809
≤ 10.0.17763.8389 · ≤ 10.0.17763.8389
microsoft
windows 10 21h2
≤ 10.0.19044.6937 · ≤ 10.0.19044.6937 · ≤ 10.0.19044.6937
microsoft
windows 10 22h2
≤ 10.0.19045.6937 · ≤ 10.0.19045.6937 · ≤ 10.0.19045.6937
microsoft
windows 11 23h2
≤ 10.0.22631.6649 · ≤ 10.0.22631.6649
microsoft
windows 11 24h2
≤ 10.0.26100.7781 · ≤ 10.0.26100.7781
microsoft
windows 11 25h2
≤ 10.0.26200.7781 · ≤ 10.0.26200.7781
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8868
microsoft
windows server 2019
≤ 10.0.17763.8389
+3 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The vulnerability is a null pointer dereference in a Windows system service that enables local attackers to cause a denial of service via exploitation, directly mapping to Endpoint Denial of Service: Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References