{"id":9215,"date":"2025-12-15T10:04:44","date_gmt":"2025-12-15T10:04:44","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/15\/windows-remote-access-connection-manager-vulnerability-enables-arbitrary-code-execution\/"},"modified":"2025-12-15T10:04:44","modified_gmt":"2025-12-15T10:04:44","slug":"windows-remote-access-connection-manager-vulnerability-enables-arbitrary-code-execution","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/15\/windows-remote-access-connection-manager-vulnerability-enables-arbitrary-code-execution\/","title":{"rendered":"Windows Remote Access Connection Manager Vulnerability Enables Arbitrary Code Execution"},"content":{"rendered":"

Windows Remote Access Connection Manager Vulnerability Enables Arbitrary Code Execution
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical security issue involving the Windows Remote Access Connection Manager (RasMan) that allows local attackers to execute arbitrary code with System privileges.<\/p>\n

While investigating\u00a0CVE-2025-59230<\/a>, the vulnerability that Microsoft addressed in the October 2025 security updates. 0patch security analysts discovered a complex exploit chain that relies on a secondary, previously unknown zero-day flaw to function effectively.<\/p>\n

The primary vulnerability, CVE-2025-59230, centers on how the RasMan service handles RPC endpoints<\/a>. When the service starts, it registers a specific endpoint that other privileged services trust.<\/p>\n

0patch researchers found that if RasMan<\/a> is not running, an attacker can register this endpoint first.<\/p>\n

\n\n\n\n\n\n\n\n\n\n
Feature<\/strong><\/th>\nDetails<\/strong><\/th>\n<\/tr>\n<\/thead>\n
CVE ID<\/strong><\/td>\nCVE-2025-59230<\/td>\n<\/tr>\n
Component<\/strong><\/td>\nWindows Remote Access Connection Manager (RasMan)<\/td>\n<\/tr>\n
Vulnerability Type<\/strong><\/td>\nElevation of Privilege (EoP)<\/td>\n<\/tr>\n
Impact<\/strong><\/td>\nLocal Arbitrary Code Execution as System<\/td>\n<\/tr>\n
Affected Platforms<\/strong><\/td>\nWindows 10, Windows 11, Windows Server 2008-2025<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Once the privileged services attempt to connect, they unknowingly communicate with the attacker\u2019s process, allowing for the execution of malicious commands.<\/p>\n

However, exploiting this race condition is difficult because RasMan typically launches automatically at system startup, leaving attackers no window of opportunity to register the endpoint first.<\/p>\n

To bypass this limitation, the discovered exploit utilizes a second, unpatched vulnerability. This zero-day<\/a> flaw allows a non-privileged user to intentionally crash the RasMan service.<\/p>\n

The crash is caused by a logic error in the code involving a circular linked list. The service attempts to traverse the list but fails to properly handle NULL pointers, resulting in a memory access<\/a> violation.<\/p>\n

By crashing the service, attackers can force it into a stopped state, release the RPC endpoint, and subsequently trigger the CVE-2025-59230 exploitation chain to gain System access.<\/p>\n

Microsoft has released official patches for the elevation-of-privilege<\/a> flaw (CVE-2025-59230). However, the service crash vulnerability used to facilitate the attack remained unpatched in official channels at the time of discovery.<\/p>\n

0patch has released<\/a> micropatches to address this crash vector across supported platforms, including Windows 11 and Server 2025.<\/p>\n

Administrators are advised to apply the October 2025 Windows updates immediately to mitigate the primary privilege escalation risk.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Windows Remote Access Connection Manager Vulnerability Enables Arbitrary Code Execution<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Windows Remote Access Connection Manager Vulnerability Enables Arbitrary Code Execution A critical security issue involving the Windows Remote Access Connection Manager (RasMan) that allows local attackers to execute arbitrary code with System privileges. While investigating\u00a0CVE-2025-59230, the vulnerability that Microsoft addressed in the October 2025 security updates. 0patch security analysts discovered a complex exploit chain that […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648,395],"tags":[130],"class_list":["post-9215","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","category-windows","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9215"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9215"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9215\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}