Zero-Day Vulnerability Discovered in RasMan; Only Unofficial Patch Available

A zero-day vulnerability in Windows Remote Access Connection Manager (RasMan) enables denial-of-service attacks and, when combined with another flaw, privilege escalation. Microsoft hasn't released a patch, but Acros Security published a free temporary fix through its 0patch platform.

RasMan is a Windows system service that starts automatically, runs with SYSTEM privileges, and manages VPN, PPPoE, and other remote network connections. Crashing this service disrupts network connectivity and opens paths for more serious attacks.

Acros Security discovered the new bug while analyzing CVE-2025-59230, a RasMan privilege escalation vulnerability Microsoft patched in October 2025 following reports of active exploitation. During that investigation, researchers found a related issue allowing any local user to crash RasMan deliberately.

The vulnerability lacks a CVE identifier. It affects Windows 7 through Windows 11, plus Windows Server 2008 R2 through Server 2025.

The flaw stems from circular linked list handling: when encountering a null pointer, RasMan attempts to read memory at an invalid address, triggering a process crash.

Attack Scenario

The vulnerability appears to be a standard DoS issue, but becomes dangerous when chained with CVE-2025-59230 or similar privilege escalation flaws. In this scenario, attackers could execute code while impersonating the RasMan service—but only if RasMan isn't running. The zero-day provides the mechanism to stop the service.

Acros Security released free unofficial patches through the 0patch platform. Users need a 0patch account and the 0patch agent, which applies micropatches automatically (usually without requiring a reboot).

Microsoft confirmed the vulnerability and stated it's working on a fix. The company noted that systems with October 2025 patches installed are protected against privilege escalation exploitation.