Privilege escalation vulnerabilities remain a top concern for enterprise security teams. In October 2025, Microsoft patched CVE-2025-59230, a critical flaw in Windows Remote Access Connection Manager (RasMan) that could allow local attackers to execute arbitrary code with System privileges.
But the story doesn’t end there. Researchers at 0patch uncovered a complex exploit chain leveraging a second zero-day vulnerability to make this attack practical. This blog breaks down how the exploit works, why it matters, and what steps you should take now.
What Is CVE-2025-59230?
- Component: Windows Remote Access Connection Manager (RasMan)
- Vulnerability Type: Elevation of Privilege (EoP)
- Impact: Local arbitrary code execution as System
- Affected Platforms: Windows 10, Windows 11, Windows Server 2008–2025
The flaw lies in how RasMan handles RPC endpoints. When RasMan starts, it registers a trusted endpoint that other privileged services rely on. If an attacker can register this endpoint first, they can intercept privileged communications and execute malicious commands.
Why Is Exploitation Hard?
Under normal conditions, RasMan launches automatically at system startup, leaving attackers no window to hijack the endpoint. This race condition makes exploitation difficult—unless attackers can stop RasMan.
The Second Zero-Day: Crashing RasMan
0patch researchers discovered an unpatched logic error in RasMan’s code involving a circular linked list. When traversing the list, RasMan fails to handle NULL pointers, causing a memory access violation and crashing the service.
By exploiting this bug, attackers can:
- Crash RasMan → Endpoint released
- Register malicious RPC endpoint → Hijack privileged calls
- Trigger CVE-2025-59230 → Gain System-level access
Exploit Chain Summary
| Step | Action | Result |
|---|---|---|
| 1 | Crash RasMan via zero-day | Service stops |
| 2 | Register RPC endpoint first | Privileged services connect to attacker |
| 3 | Execute malicious commands | System privileges achieved |
Mitigation Steps
- Apply October 2025 Microsoft updates immediately to patch CVE-2025-59230.
- Deploy 0patch micropatches for the crash vulnerability across Windows 10, 11, and Server 2025.
- Monitor RPC endpoint registrations and RasMan service status for anomalies.
- Restrict local privilege escalation paths and enforce least privilege policies.
Compliance & Risk Impact
- Risk: Full system compromise from a local account
- Compliance: Violates NIST CSF PR.AC and ISO 27001 Annex A controls for access management
- Impact: Attackers can bypass EDR, escalate privileges, and persist
FAQs
Q1. Is the crash vulnerability patched by Microsoft?
No. Microsoft patched CVE-2025-59230, but the crash bug remains unpatched officially. 0patch provides micropatches.
Q2. Which systems are affected?
Windows 10, Windows 11, and Windows Server 2008–2025.
Q3. How critical is this exploit chain?
High. It enables full System-level compromise from a local account.
Conclusion
The RasMan exploit chain shows how attackers combine patched and unpatched flaws to bypass security assumptions. Apply official updates, consider micropatches, and monitor RPC endpoints proactively.
