Microsoft has confirmed active exploitation of a critical zero-day vulnerability in the Windows Remote Access Connection Manager (RasMan) service, allowing attackers to escalate privileges and potentially compromise entire systems.
Tracked as CVE-2025-59230, the flaw stems from improper access control, enabling low-privileged users to gain SYSTEM-level access.
Disclosed on October 14, 2025, the vulnerability affects multiple Windows versions and has already drawn attention from threat actors targeting enterprise environments.
The issue resides in RasMan, a core component handling remote access connections like VPNs and dial-up. An authorized local attacker can exploit weak permission checks to manipulate service configurations, bypassing standard privilege boundaries.
With a CVSS v3.1 base score of 7.8 (High severity), it requires only local access and low privileges, making it a prime target for post-compromise escalation in breaches.
Microsoft classifies it as “Exploitation Detected,” indicating real-world attacks, though specifics on affected victims remain undisclosed.
No public proof-of-concept (PoC) code has been released, but security researchers describe potential exploits involving registry manipulation or DLL injection into RasMan processes.
For instance, an attacker might leverage low-integrity processes to overwrite accessible files in the RasMan directory (e.g., C:WindowsSystem32ras), injecting malicious code that executes with elevated rights upon service restart.
This could chain with initial footholds from phishing or unpatched apps, amplifying damage in lateral movement scenarios.
Vulnerability Details
To aid rapid assessment, the following table summarizes key CVE-2025-59230 metrics:
| Metric | Value | Description |
|---|---|---|
| CVSS v3.1 Base Score | 7.8 (High) | Overall severity rating |
| Attack Vector | Local (AV:L) | Requires physical or logged-in access |
| Attack Complexity | Low (AC:L) | Straightforward exploitation |
| Privileges Required | Low (PR:L) | Basic user account suffices |
| User Interaction | None (UI:N) | No victim engagement needed |
| Confidentiality/Integrity/Availability Impact | High (C:H/I:H/A:H) | Full system compromise possible |
| Exploit Maturity | Functional (E:F) | Proof-of-exploits exist in wild |
Affected systems include Windows 10 (versions 1809 and later), Windows 11, and Windows Server 2019-2025. Microsoft urges immediate patching via the October 2025 Patch Tuesday updates, emphasizing that unpatched machines face a high risk from nation-state actors or ransomware groups.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
