Article Details

Microsoft RasMan DoS 0-day gets unofficial patch - and a working exploit. Exploit hasn't been picked up by any malware detection engines, CEO tells The Reg. A Microsoft zero-day vulnerability that allows an unprivileged user to crash the Windows Remote Access Connection Manager (RasMan) service now has a free, unofficial patch - with no word as to when Redmond plans to release an official one - along with a working exploit circulating online. Researchers from 0patch, the micropatching site, uncovered the denial-of-service (DoS) bug while investigating CVE-2025-59230, a Windows RasMan privilege escalation vulnerability that Redmond fixed in October, but not before attackers found and exploited the vulnerability. RasMan is a critical Windows service that manages VPN and other remote network connections, and CVE-2025-59230 allows an authorized attacker to elevate privileges locally and gain SYSTEM privileges. It essentially takes advantage of the fact that when RasMan is not running, any process can impersonate RasMan and execute code on an RPC endpoint - a condition the exploit depends on. The exploit is freely downloadable, so one can assume it has been and will be obtained by many interested parties, possibly including malicious actors "Consequently, a working exploit must therefore be able to (also) stop the RasMan service to release said RPC endpoint," ACROS Security CEO and 0patch co-founder Mitja Kolsek said in a Friday blog. "And this was the second, non-obvious vulnerability that the CVE-2025-59230 exploit we had found utilizes: one that allows an unprivileged user to crash the RasMan service. Without this capability, CVE-2025-59230 could hardly be exploited."  This new vulnerability hasn't yet been assigned a CVE and remains unpatched across all Windows versions. While Kolsek said he alerted the Windows giant about the security hole, "we have no feedback on patching from Microsoft," he told The Register. We also reached out to Microsoft about assigning a CVE and issuing a patch and didn't receive a response. Kolsek told us that, while his company has no evidence of this zero-day being exploited in the wild, "we did find a working exploit on the internet that has not been detected as malicious by any malware detection engines. The exploit is freely downloadable, so one can assume it has and will be obtained by many interested parties, possibly including malicious actors." The flaw, as Kolsek explained in the blog, is due to a coding issue in processing circular linked lists. The service traverses the list in a loop, and it's supposed to exit once the list has been traversed - but it can't exit the loop if the pointer is null. "This causes memory access violation and crashes the RasMan service," Kolsek wrote. The patch, and all of those pushed by 0patch, are free until and unless the vendor - Microsoft, in this case - issues an official patch. To get it, you must sign up for a free trial at 0patch Central.