CVE-2026-21525 is a vulnerability identified as a null pointer dereference (CWE-476) in the Windows Remote Access Connection Manager component of Microsoft Windows 10 Version 1607 (build 10.0.14393.0). This vulnerability allows an unauthorized attacker with local access to trigger a denial of service condition by causing the Remote Access Connection Manager service to crash. The flaw arises when the service attempts to dereference a null pointer, leading to an application or system crash, thereby impacting availability. The vulnerability does not require privileges or user interaction, making it easier to exploit locally, but it cannot be exploited remotely. The CVSS v3.1 base score is 6.2 (medium severity), reflecting the limited scope (local attack vector), no impact on confidentiality or integrity, but a significant impact on availability. No public exploits or active exploitation in the wild have been reported to date. The affected product is an older Windows 10 version (1607), which is out of mainstream support, increasing the risk for organizations that have not upgraded. The vulnerability could disrupt network connectivity services relying on the Remote Access Connection Manager, potentially affecting VPNs or dial-up connections. Given the lack of patches linked in the data, organizations should monitor Microsoft advisories for updates or consider upgrading to supported Windows versions to mitigate the risk.

For European organizations, the primary impact is on system availability, as the vulnerability can cause the Remote Access Connection Manager service to crash, leading to denial of service conditions. This could disrupt remote access services, VPN connectivity, and other network-related functions dependent on this service, potentially affecting business continuity. Organizations in sectors with critical reliance on remote access, such as finance, healthcare, government, and critical infrastructure, may face operational disruptions. Since the vulnerability requires local access, the risk is higher in environments where physical or local access controls are weak or where insider threats exist. The lack of impact on confidentiality and integrity reduces the risk of data breaches or unauthorized data modification. However, service interruptions could indirectly affect compliance with regulations such as GDPR if availability impacts critical services. The threat is more pronounced for organizations still running legacy Windows 10 Version 1607 systems, which may be more common in certain industries or smaller enterprises with limited IT resources.

1. Upgrade affected systems from Windows 10 Version 1607 to a supported and fully patched Windows version to eliminate exposure to this vulnerability. 2. If immediate upgrade is not feasible, implement strict local access controls and monitoring to prevent unauthorized local access to vulnerable systems. 3. Regularly monitor Microsoft security advisories for patches or hotfixes addressing this vulnerability and apply them promptly once available. 4. Employ endpoint protection solutions capable of detecting abnormal service crashes or denial of service attempts related to Remote Access Connection Manager. 5. Harden network access policies to limit the use of legacy remote access protocols and encourage migration to more secure VPN solutions. 6. Conduct regular audits of systems to identify any running unsupported Windows versions and prioritize their remediation. 7. Implement robust incident response plans to quickly detect and recover from denial of service conditions impacting remote access services.