February 2026 [Chaos Engineering]

CVE-2026-21525 is a denial of service flaw in the Windows Remote Access Connection Manager (RASMAN), exploited in the wild, that a standard non-admin user can trigger to crash the VPN service.

CVE-2026-21510 and CVE-2026-21514 are a pair of SmartScreen bypasses affecting Windows Shell and Microsoft Word, removing the prompt that warns you before running files downloaded from the internet so malicious files execute without a warning dialog.

Endpoints set to fail close lose network access entirely when the VPN crashes, so IT can't reach them to patch or run automation. In large environments, that turns one bug into cascading help desk load.

Microsoft has confirmed there are no workarounds for CVE-2026-21525, so apply the patch and prioritize remote and VPN-dependent endpoints first. Also patch servers running RRAS (Routing and Remote Access Service) to protect automations.

Ryan and Seth keep returning to AI: it makes grammatically clean, brand-spoofing phishing trivial to generate, and it raises the prospect of agentic attacks where one operator runs AI agents to act like an entire team. Since both vulnerabilities start with a user clicking something they shouldn't, pair patching with awareness training built around AI-generated phishing.