{"id":59839,"date":"2025-12-12T22:29:33","date_gmt":"2025-12-12T22:29:33","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/microsoft-rasman-dos-0-day-gets-unofficial-patch-and-a-working-exploit\/"},"modified":"2025-12-12T22:29:33","modified_gmt":"2025-12-12T22:29:33","slug":"microsoft-rasman-dos-0-day-gets-unofficial-patch-and-a-working-exploit","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/microsoft-rasman-dos-0-day-gets-unofficial-patch-and-a-working-exploit\/","title":{"rendered":"Microsoft RasMan DoS 0-day gets unofficial patch – and a working exploit"},"content":{"rendered":"

A Microsoft zero-day vulnerability that allows an unprivileged user to crash the Windows Remote Access Connection Manager (RasMan) service now has a free, unofficial patch – with no word as to when Redmond plans to release an official one – along with a working exploit circulating online.<\/p>\n

Researchers from 0patch, the micropatching site, uncovered the denial-of-service (DoS) bug while investigating CVE-2025-59230<\/a>, a Windows RasMan privilege escalation vulnerability that Redmond fixed<\/a> in October, but not before attackers found and exploited the vulnerability.<\/p>\n

RasMan is a critical Windows service that manages VPN and other remote network connections, and CVE-2025-59230 allows an authorized attacker to elevate privileges locally and gain SYSTEM privileges. It essentially takes advantage of the fact that when RasMan is not running, any process can impersonate RasMan and execute code on an RPC endpoint – a condition the exploit depends on.<\/p>\n

\n

The exploit is freely downloadable, so one can assume it has been and will be obtained by many interested parties, possibly including malicious actors<\/p>\n<\/blockquote>\n

“Consequently, a working exploit must therefore be able to (also) stop the RasMan service to release said RPC endpoint,” ACROS Security CEO and 0patch co-founder Mitja Kolsek said<\/a> in a Friday blog. “And this was the second, non-obvious vulnerability that the CVE-2025-59230 exploit we had found utilizes: one that allows an unprivileged user to crash the RasMan service. Without this capability, CVE-2025-59230 could hardly be exploited.” <\/p>\n

This new vulnerability hasn’t yet been assigned a CVE and remains unpatched across all Windows versions. While Kolsek said he alerted the Windows giant about the security hole, “we have no feedback on patching from Microsoft,” he told The Register<\/em>.<\/p>\n