A critical security flaw has been identified in the Windows Remote Access Connection Manager (RasMan) service that could allow local attackers to execute arbitrary code with System privileges.
Vulnerability Details
- CVE ID: CVE‑2025‑59230
- Component: Windows Remote Access Connection Manager (RasMan)
- Type: Elevation of Privilege (EoP)
- Impact: Local arbitrary code execution as System
- Affected Platforms: Windows 10, Windows 11, Windows Server 2008–2025
Exploit Chain
- Primary flaw (CVE‑2025‑59230)
- RasMan registers an RPC endpoint trusted by privileged services.
- If RasMan is not running, an attacker can register this endpoint first.
- Privileged services then connect to the attacker’s process, enabling malicious command execution.
- Secondary zero‑day flaw (unpatched)
- Attackers can intentionally crash RasMan using a logic error in a circular linked list.
- The crash occurs due to improper handling of NULL pointers, causing a memory access violation.
- Once RasMan stops, the RPC endpoint is freed, allowing attackers to exploit CVE‑2025‑59230.
Challenges & Risks
- Exploiting the race condition is normally difficult because RasMan launches automatically at startup.
- The secondary flaw removes this limitation, making exploitation practical.
- Successful exploitation grants System‑level privileges, enabling full control of the machine.
Mitigation
- Microsoft: Released patches for CVE‑2025‑59230 in October 2025 security updates.
- 0patch: Issued micropatches to fix the crash vector across supported platforms (Windows 11, Server 2025).
- Admin guidance:
- Apply October 2025 updates immediately.
- Consider deploying 0patch fixes for the crash vulnerability until Microsoft issues an official patch.
Takeaway
This case highlights how attackers can chain vulnerabilities: a patched elevation‑of‑privilege flaw (CVE‑2025‑59230) becomes exploitable again when combined with an unpatched crash bug. Organizations should patch quickly and monitor for exploit attempts targeting RasMan.
Leave a Reply