Microsoft has confirmed active exploitation of a critical zero-day vulnerability affecting the Windows Remote Access Connection Manager, designated as CVE-2025-59230.
The security flaw, disclosed on October 14, 2025, allows attackers with limited system access to escalate their privileges to the highest level, gaining complete control over compromised systems.
Zero-Day Vulnerability Enables System-Level Access
The vulnerability stems from improper access control within the Windows Remote Access Connection Manager component, a critical service that handles remote network connections in Windows operating systems.
| Attribute | Details |
| CVE ID | CVE-2025-59230 |
| Vulnerability Type | Elevation of Privilege |
| Release Date | October 14, 2025 |
| CVSS Score | 7.8 (Base) / 7.2 (Temporal) |
| Severity | Important |
Security researchers at Microsoft Threat Intelligence Center and Microsoft Security Response Center discovered evidence of active exploitation in the wild before a patch became available, classifying it as a true zero-day threat.
With a CVSS base score of 7.8 and temporal score of 7.2, the vulnerability is rated as “Important” severity by Microsoft.
The attack requires local access to the target system, meaning an attacker must already have a foothold on the machine, typically with low-level user privileges.
However, the low attack complexity means that once inside, exploitation becomes straightforward, requiring no user interaction to succeed.
The most alarming aspect of this vulnerability is the potential privilege escalation to SYSTEM level, the highest permission tier in Windows environments.
This grants attackers unrestricted access to read, modify, or delete any data, install malicious software, create new administrator accounts, and maintain persistent access to compromised systems.
Microsoft’s exploitability assessment confirms that functional exploit code exists and active exploitation has been detected in real-world attacks.
Despite this, the vulnerability was not publicly disclosed prior to Microsoft’s official announcement, suggesting that threat actors developed the exploit independently or obtained it through underground channels.
The fact that attackers are already leveraging this vulnerability highlights the urgency for organizations to apply security updates immediately.
The Windows Remote Access Connection Manager component is present across multiple Windows versions, potentially exposing millions of systems to compromise.
Security experts recommend that system administrators prioritize patching efforts, especially for systems accessible to multiple users or those connected to corporate networks.
Organizations should also monitor for suspicious privilege escalation attempts and review system logs for indicators of compromise related to the Remote Access Connection Manager service.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
