Unpatched Windows RasMan Flaw Allows Unprivileged Crash, Enabling Local System Privilege Escalation Exploit

Recently, researchers at 0patch have discovered an unpatched vulnerability in the Windows Remote Access Connection Manager (RasMan) service while investigating a separate, recently patched flaw.

The investigation began with CVE-2025-59230, an elevation of privilege vulnerability in Windows that Microsoft addressed in its October 2025 updates. While analyzing an exploit for this flaw, 0patch researchers found it “nicely demonstrated local arbitrary code execution as Local System when launched as a non-admin Windows user”. However, the exploit had a secret weapon tucked inside.

“Interestingly though, this exploit – while exploiting CVE-2025-59230 – also included an exploit for another vulnerability that turned out to have remained unpatched to this day,” the report states.

The original vulnerability, CVE-2025-59230, relies on a race condition involving the Remote Access Connection Manager (RasMan) service. Upon startup, RasMan registers an RPC endpoint that other privileged services trust implicitly. The flaw allows an attacker to register this endpoint first if RasMan isn’t running, tricking other services into connecting to a malicious process instead .

However, there is a catch: RasMan almost always starts automatically with Windows. “The RasMan service usually gets stared automatically upon Windows startup… and even a scheduled task created by a local attacker would not be quick enough to find it in a ‘not running’ state,” the researchers explained.

To bypass this hurdle, the exploit writers needed a way to kill the service. “Consequently, a working exploit must therefore be able to (also) stop the RasMan service to release said RPC endpoint”.

This necessity led to the discovery of the second vulnerability: a flaw that allows any unprivileged user to crash the RasMan service on demand. “Without this capability, CVE-2025-59230 could hardly be exploited”.

0patch traced the issue to a classic coding error within a circular linked list. The code iterates through the list but fails to properly handle a NULL pointer. “Inside the loop, the pointer to the current element is compared with NULL – which is a reasonable sanity check,” the report notes.

However, the logic was flawed. Instead of exiting the loop upon finding a NULL pointer, the code continued to read from it. “But if the pointer is NULL… the loop is not exited – rather, the execution continues by reading the pointer to the next list element from this NULL pointer,” causing an immediate memory access violation and service crash.

While Microsoft has been alerted and “will likely provide an official patch for still-supported Windows versions in one of future Windows updates,” 0patch has released an immediate micropatch to close the hole.

The fix injects a proper sanity check into the vulnerable loop. “Our patch (code added in blue and green code blocks) injects another check for a NULL pointer that exits the loop,” preventing the crash and effectively neutralizing the exploit chain.

Micropatches are now available for a wide range of systems, including fully updated versions of Windows 11 (v21H2 through v25H2), Windows 10, and legacy systems like Windows 7 and Server 2008 R2.

Related Posts:

• 0patch Uncovers and Patches New Windows Zero-Day Vulnerability, Microsoft Scrambles to Re-Fix Flaw
• Critical Zero-Day Vulnerability in Windows Exposes User Credentials
• With null characters, Malicious code bypassed security checking in Windows 10
• Ubuntu Security Alert: Three Ways to Bypass User Namespace Restrictions
• Critical Wing FTP Server RCE (CVE-2025-47812) Actively Exploited In The Wild