Microsoft Patches Windows RasMan DoS and Windows Error Reporting Privilege Escalation
Microsoft released fixes for multiple Windows local vulnerabilities affecting core services used in enterprise environments. One issue in the Remote Access Connection Manager (RasMan) service was exploited to trigger a local denial-of-service (DoS) by crashing the remote access service, which can disrupt VPN connectivity and interrupt remote access workflows on unpatched systems; Microsoft described the condition as allowing an “unauthorized attacker to deny service locally.”
Separately, Microsoft patched CVE-2026-20817, a Windows Error Reporting Service (wersvc.dll) local privilege escalation that can allow a standard user to obtain SYSTEM-level execution via ALPC messaging and insufficient authorization checks in request handling (notably around CWerService::SvcElevatedLaunch). Reporting indicates the service could be coerced into creating a new token derived from the WER service’s SYSTEM token (with SeTcbPrivilege removed but other powerful rights retained), enabling high-impact post-exploitation actions such as credential theft and full host takeover; a proof-of-concept (PoC) was also reported as available.
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months agoWindows RasMan Zero-Day Enables Service Crash and Privilege Escalation
A newly discovered zero-day vulnerability in the Windows Remote Access Connection Manager (RasMan) service allows unprivileged users to crash the service, creating a denial-of-service (DoS) condition. This flaw, which has not yet been assigned a CVE or received an official Microsoft patch, was uncovered by ACROS Security while investigating a previously patched privilege escalation vulnerability (CVE-2025-59230). The new DoS vulnerability is critical because it enables attackers to stop the RasMan service, which is a prerequisite for exploiting certain privilege escalation bugs. A working exploit for this zero-day is publicly available, and free unofficial patches have been released by the 0patch platform to mitigate the risk until Microsoft issues an official fix. The vulnerability affects all supported Windows versions, from Windows 7 through Windows 11 and Windows Server 2008 R2 through Server 2025. The exploit leverages a coding error in RasMan's handling of circular linked lists, causing the service to crash when a null pointer is encountered. This crash can be triggered by any unprivileged user, potentially allowing attackers to combine the DoS with other privilege escalation vulnerabilities to gain SYSTEM-level access. Microsoft has not yet responded to requests for comment or provided a timeline for an official patch, leaving organizations reliant on third-party mitigations in the interim.
3 months ago
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
1 months ago