A newly discovered flaw in the Windows Remote Access Connection Manager (RasMan) service allows the operating system to be disrupted without administrative privileges. A free, unofficial fix is already available, while Microsoft prepares its own official remedy.
RasMan is a core Windows service that starts automatically, runs with SYSTEM privileges, and manages VPN, PPPoE, and other remote network connections. Researchers at ACROS Security, the team behind the 0patch micropatching platform, uncovered this zero-day issue while analyzing CVE-2025-59230—another RasMan privilege-escalation vulnerability that had been actively exploited and was patched by Microsoft in October.
The newly identified flaw falls into the denial-of-service category and enables attackers to deliberately crash the RasMan service. It has not yet been assigned a CVE identifier. All versions of Windows from 7 through 11 are affected, as well as Windows Server releases from 2008 R2 up to Server 2025. According to ACROS Security, when combined with CVE-2025-59230 or similar privilege-escalation bugs, the issue can facilitate an attack that impersonates the RasMan service and achieves code execution—but only when RasMan is not running. The ability to forcibly stop the service closes this gap, allowing attackers to disable RasMan at will and reopen an escalation path previously considered mitigated.
The crash is caused by an error in handling circular linked lists. While traversing such a list, the service may encounter a null pointer and, instead of exiting the loop gracefully, attempts to dereference it, leading to a process failure.
ACROS Security has released a free micropatch via 0patch for all affected systems. Applying it requires registering an account and installing the 0patch agent, which then deploys the fix automatically—typically without requiring a system reboot, unless restricted by patching policies.
ACROS Security CEO Mitja Kolsek stated that Microsoft has been notified, and an official fix for supported Windows versions is expected to arrive in a future update.
