A serious security flaw exists in Microsoft’s Windows Remote Access Connection Manager (RasMan) service, allowing attackers with local access to execute code with system administrator rights. This vulnerability, CVE-2025-59230, affects how the service handles RPC endpoints. When RasMan is not running, an attacker can register this endpoint first, enabling malicious commands to be executed by privileged services that unknowingly connect to it.
The vulnerability relies on a secondary, previously unknown zero-day flaw, which can be exploited to crash the RasMan service and force it to stop. This allows attackers to release the RPC endpoint and activate the CVE-2025-59230 exploit chain to gain access to the system. Microsoft has released official patches for this elevation of privilege vulnerability.
However, since 0patch security specialists discovered this vulnerability, they have released micropatches to address the crash issue on supported platforms, including Windows 11 and Server 2025. Administrators are advised to immediately apply the October 2025 Windows Updates to mitigate the risk of root privilege escalation.
Source: https://www.redhotcyber.com/en/post/critical-windows-vulnerability-cve-2025-59230-exposed