Unpatched RasMan Zero-Day Allows Local System Takeover via DoS Crash and RPC Spoofing
The 0patch team has reported that while analyzing CVE-2025-59230 in the Windows Remote Access Connection Manager (RasMan)—a flaw Microsoft addressed with its October 2025 updates—researchers uncovered a working exploit that enables local code execution as Local System from an unprivileged user account. Alongside it, however, they identified a second issue: the exploit relied on a separate technique that allows a non-privileged user to crash RasMan, a vulnerability that, according to the authors, remains unpatched.
CVE-2025-59230 is conceptually straightforward. When RasMan starts, it registers an RPC endpoint that other services subsequently connect to and implicitly trust. If RasMan is not running, any process—including a user-level exploit without administrative rights—can register the same RPC endpoint first, causing privileged services to connect to this “spoofed” endpoint. That misplaced trust can then be abused to feed instructions that ultimately result in attacker-controlled code execution.
The practical challenge lies in exploitation. RasMan typically starts automatically with Windows (the authors note that on Windows 11 it may be configured as “manual” yet still launches during system startup), making it nearly impossible to catch a window in which the service is not running. Even a malicious scheduled task cannot realistically “outrun” RasMan to register the RPC endpoint first.
As a result, the exploit also needs a way to stop RasMan in order to free the desired RPC endpoint. This second step turned out to be a vulnerability in its own right: an unprivileged user can forcibly crash RasMan, triggering a denial-of-service condition and thereby clearing the path for exploitation via CVE-2025-59230.
After investigating the crash, 0patch traced the root cause to a flaw in the logic for traversing a circular linked list. The code exits the loop when the current element points back to the first element, indicating that the list has been fully traversed. Inside the loop, there is a seemingly sensible NULL check on the current pointer: if it is not NULL, the value is read and, under certain conditions, the loop may terminate.
However, if the pointer is NULL, execution does not stop. Instead, the code attempts to access the next element by dereferencing NULL, resulting in a memory access violation and a RasMan crash. The authors emphasize that such a bug is easy to imagine in real-world development: the function assumes a well-formed circular list, while the NULL check may have been added defensively and never triggered during testing, masking its incorrect behavior.
As described in the publication, the 0patch micropatch introduces the missing branch: when a NULL pointer is detected, the loop now terminates instead of continuing traversal. A demonstration shows that without 0patch enabled, the exploit reliably crashes RasMan, whereas with the agent active, the crash no longer occurs (the authors note that the video highlights a similarly named service, Remote Access Auto Connection Manager).
According to 0patch, the micropatches have already been released and are available for supported versions of Windows, ranging from current builds of Windows 11 and Windows 10 down to Windows 7, as well as several server editions, including Windows Server up to Server 2025, provided the systems are fully up to date.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
