A critical security issue involving the Windows Remote Access Connection Manager (RasMan) that allows local attackers to execute arbitrary code with System privileges.
While investigating CVE-2025-59230, the vulnerability that Microsoft addressed in the October 2025 security updates. 0patch security analysts discovered a complex exploit chain that relies on a secondary, previously unknown zero-day flaw to function effectively.
The primary vulnerability, CVE-2025-59230, centers on how the RasMan service handles RPC endpoints. When the service starts, it registers a specific endpoint that other privileged services trust.
0patch researchers found that if RasMan is not running, an attacker can register this endpoint first.
| Feature | Details |
|---|---|
| CVE ID | CVE-2025-59230 |
| Component | Windows Remote Access Connection Manager (RasMan) |
| Vulnerability Type | Elevation of Privilege (EoP) |
| Impact | Local Arbitrary Code Execution as System |
| Affected Platforms | Windows 10, Windows 11, Windows Server 2008-2025 |
Once the privileged services attempt to connect, they unknowingly communicate with the attacker’s process, allowing for the execution of malicious commands.
However, exploiting this race condition is difficult because RasMan typically launches automatically at system startup, leaving attackers no window of opportunity to register the endpoint first.
To bypass this limitation, the discovered exploit utilizes a second, unpatched vulnerability. This zero-day flaw allows a non-privileged user to intentionally crash the RasMan service.
The crash is caused by a logic error in the code involving a circular linked list. The service attempts to traverse the list but fails to properly handle NULL pointers, resulting in a memory access violation.
By crashing the service, attackers can force it into a stopped state, release the RPC endpoint, and subsequently trigger the CVE-2025-59230 exploitation chain to gain System access.
Microsoft has released official patches for the elevation-of-privilege flaw (CVE-2025-59230). However, the service crash vulnerability used to facilitate the attack remained unpatched in official channels at the time of discovery.
0patch has released micropatches to address this crash vector across supported platforms, including Windows 11 and Server 2025.
Administrators are advised to apply the October 2025 Windows updates immediately to mitigate the primary privilege escalation risk.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
