)
)
Welcome to February's Patch Tuesday. This month, attackers are playing the distraction game: one vulnerability crashes your VPN infrastructure while another slips malware past Windows security prompts.
The two vulnerabilities highlighted this month share a common thread: they enable or amplify attacks that start with social engineering. And social engineering is getting easier. Both are already being exploited in the wild, and both rely on the same entry point: your users clicking something they shouldn't.
Here's what you need to know, and what to patch first. For the full breakdown, check out the Patch [FIX] Tuesday podcast.
CVE-2026-21525 [Moderate]
Windows Remote Access Connection Manager vulnerability
CVE-2026-21525 (CVSS 6.2/10) targets the Windows Remote Access Connection Manager (RASMAN), the service responsible for maintaining VPN connections to corporate networks.
This vulnerability is currently being exploited in the wild.
An attacker with a foothold as a standard, non-admin user can run a small script that crashes the RAS manager service. The attack requires no elevated privileges and can be triggered after initial access through phishing or a malicious browser extension.
CVE-2026-21525 doesn't directly lead to data theft or code execution, but its potential for disruption is significant.
Organizations relying on always-on VPN connections face a particular risk: if the VPN service crashes, endpoints configured with "fail close" policies lose network access entirely. IT teams can't reach those machines to patch them or run automation. In larger environments, this creates cascading failures that can take hours to resolve.
How attackers may exploit this vulnerability
Gain initial access through phishing or a malicious browser extension, then trigger the crash as part of a multi-stage attack
Use the disruption as a distraction while executing a separate attack against servers or exfiltrating data
Target VPN infrastructure to create a "blackout" of remote users, overwhelming help desk resources
Chain with other vulnerabilities to maximize blast radius during the confusion
What to look out for
Unexpected restarts of the Remote Access Connection Manager service
Sudden, widespread VPN disconnections across remote users
Help desk ticket spikes related to connectivity issues
Mitigation guidance
Apply the patch immediately. Microsoft has confirmed there are no workarounds for this vulnerability.
Prioritize patching for remote users and VPN-dependent endpoints first
Monitor the RASMAN service for unexpected restarts or crashes
If you run servers with RRAS (Routing and Remote Access Service), include them in your priority patching list to protect automations and infrastructure
– Ryan Braunstein, Security Manager, Automox
CVE-2026-21510 [Important]
Windows Shell SmartScreen bypass vulnerability
CVE-2026-21510 (CVSS 8.8/10) allows attackers to bypass Windows SmartScreen, the security feature that warns you when opening files downloaded from the internet. A related vulnerability, CVE-2026-21514, affects Microsoft Word with a similar bypass mechanism.
Attackers are actively exploiting both in the wild.
SmartScreen serves as a critical checkpoint: when you download an executable or document, it prompts you to confirm whether you trust the source. This bypass removes that checkpoint entirely. Files from the internet execute without triggering the usual warning dialog, giving attackers a clean path to run malicious code once a user clicks a phishing link.
The attack still requires user interaction, but with one less security prompt in the way, the barrier to successful exploitation drops considerably.
How attackers may exploit this vulnerability
Deliver malicious files through phishing emails that execute without SmartScreen warnings
Gain initial access for malware installation or persistence
Chain with social engineering to convince users to open seemingly legitimate documents
Target Microsoft Word users with malicious documents that bypass security prompts
What to look out for
Unusual cmd.exe or PowerShell activity following file downloads
Processes spawning from files in Downloads or temp directories without corresponding SmartScreen events in your logs
Mitigation guidance
Apply patches for both CVE-2026-21510 and CVE-2026-21514 as soon as possible
Monitor for process creation events where the parent process is a browser or Outlook and the child lacks a corresponding SmartScreen event
Apply endpoint hardening measures such as Attack Surface Reduction rules
– Seth Hoyt, Senior Security Engineer, Automox
The bigger picture: AI lowers the barrier
AI has lowered the barrier to entry for attackers. Crafting a convincing phishing email used to require skill. Now, an attacker can generate polished, grammatically correct messages that mimic internal communications or trusted brands in seconds.
Security researchers are also watching the emergence of agentic attacks (scenarios where a single attacker deploys AI agents to automate reconnaissance, craft targeted messages, and probe for vulnerabilities simultaneously). The tools exist. Whether attackers are using them at scale remains to be seen, but the threat model is shifting.
For IT teams, this reinforces why the fundamentals matter. Patching remains your first line of defense. Security awareness training should address AI-generated phishing specifically. And detection strategies should assume that attack volume and quality can scale faster than they used to.
Patch regularly, patch often
February's vulnerabilities are a reminder that disruption and deception remain core tactics in the attacker's playbook.
A denial of service attack that blacks out your remote workforce creates confusion. A SmartScreen bypass removes a safety net your users rely on. Both work better for attackers when patches sit unapplied.
Stay current with your patches, keep your detection capabilities sharp, and make sure your teams know that phishing emails aren't as easy to spot as they used to be.
)
)