Published on December 15, 2025
Windows Remote Access Connection Manager Flaw Allows Arbitrary Code Execution
Severity
High
Security researchers have identified a critical vulnerability in the Windows Remote Access Connection Manager (RasMan) service that can be abused to crash the service and enable local arbitrary code execution with Local System privileges.
The issue was discovered during an investigation of CVE-2025-59230, which Microsoft patched in October 2025. CVE-2025-59230 is an elevation-of-privilege vulnerability that affects how the RasMan service registers and exposes an RPC endpoint during startup. Other privileged Windows services subsequently connect to and trust this endpoint.
When RasMan is not running, a local unprivileged attacker can register the same RPC endpoint and exploit this trust relationship to execute malicious code with elevated privileges.
Although this vulnerability is difficult to exploit directly because RasMan normally starts automatically at system boot, researchers identified a second, previously unknown vulnerability that makes exploitation feasible. This unpatched flaw allows attackers to crash the RasMan service by abusing an error in its handling of circular linked lists.
| CVE ID | Vulnerability Type | Affected Component | Severity |
| CVE-2025-59230 | Elevation of Privilege | Windows Remote Access Connection Manager (RasMan) | High |
The unpatched vulnerability stems from flawed logic in the traversal of a circular linked list within the RasMan service. The code checks whether the current list pointer is NULL but fails to terminate the loop when this condition is met.
Instead, execution continues and attempts to access the next element through a NULL pointer, resulting in a memory access violation that crashes the RasMan service.
This programming error appears to be caused by the assumption that circular linked lists are always valid. While a NULL pointer check was added as a defensive measure, it was not properly tested, likely because all test cases involved well-formed lists.
By crashing RasMan, attackers can prevent the service from registering its legitimate RPC endpoint, allowing a malicious endpoint to be registered instead. This enables successful exploitation of CVE-2025-59230 and leads to Local System privilege escalation.
Affected Version
- Windows 7
- Windows 10
- Windows 11
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Recommendation
Organizations are advised to apply Microsoft security updates for CVE-2025-59230 as soon as they become available. Until an official fix is released, deploy 0patch micropatches to mitigate the unpatched RasMan service crash vulnerability, which prevents exploitation by ensuring proper handling of NULL pointers during linked list traversal.
For environments running unsupported Windows versions, 0patch’s security-adopted support can be used to maintain protection against this issue. Administrators should also monitor systems for abnormal RasMan service crashes or unexpected restarts, as these may indicate attempted exploitation. Additionally, local access to affected systems should be restricted where possible to reduce the risk of local privilege escalation.
Source
https://gbhackers.com/windows-remote-access-connection-manager-flaw/
https://blog.0patch.com/2025/12/free-micropatches-for-windows-remote.html