Summary

CVE-2025-59230 is an elevation of privilege (EoP) vulnerability in the Windows Remote Access Connection Manager (RasMan) service, stemming from improper access control (CWE-284). It allows a locally authenticated attacker to escalate privileges to SYSTEM level, potentially leading to full host compromise. This zero-day flaw has been actively exploited in the wild and is rated "Important" with a CVSSv3.1 base score of 7.8 (Attack Vector: Local; Attack Complexity: Low; Privileges Required: Low; User Interaction: None; Scope: Unchanged; Confidentiality/Integrity/Availability Impact: High).

Affected Systems or Versions

• ‍Primary Impact: All supported versions of Windows client and server operating systems where the Remote Access Connection Manager service is enabled (default on most installations).‍
• Specific Versions (per Microsoft October 2025 Patch Tuesday):
  
  • Windows 10 (versions 22H2, 21H2)
    
  • Windows 11 (versions 23H2, 24H2)
  • Windows Server 2019, 2022
  • Older branches like Windows 8.1 and Server 2012 R2 (if still supported)
• RasMan manages VPN and dial-up connections, so systems using remote access features are at higher risk. No third-party dependencies noted.
  

Technical Details

The vulnerability arises from flawed access control logic in the RasMan service, which runs with elevated privileges to handle network connections. A low-privileged local user can exploit this by sending crafted requests to the service, bypassing intended restrictions and executing arbitrary code as SYSTEM. Exploitation typically requires local access (e.g., via an initial foothold from phishing or malware), but no user interaction or elevated privileges are necessary. Proof-of-concept exploits may emerge post-patch, but Microsoft has not released a detailed root cause analysis beyond the CWE classification.

Mitigation

• ‍Immediate Action: Apply the October 2025 security updates (KB5044284 for Windows 11, KB5044273 for Windows 10, etc.) via Windows Update, Microsoft Update Catalog, or WSUS. Restart required.‍
• Interim Workarounds:
  
  • Disable the Remote Access Connection Manager service (rasman) if not needed for VPN/remote access functionality.
  • Restrict local logons to trusted accounts and monitor for suspicious privilege escalations using tools like Sysmon or EDR.
• Restart systems after patching to ensure full effect. Microsoft recommends prioritizing this due to active exploitation.
  

What the Cyber Fusion Center is Doing

The Cyber Fusion Center response includes:

• CFC is launching a threat hunting operation based on our identified IOCs and TTPs to detect potential exploitation activity related to this vulnerability.

References

• Microsoft Security Update Guide: CVE-2025-59230 Details
• NVD Entry: CVE-2025-59230
• Tenable Analysis: Microsoft’s October 2025 Patch Tuesday
• Help Net Security: Microsoft Patches Three Zero-Days
• CISA KEV Catalog Update: New Vulnerabilities Added