CVE-2025-59230

What is the Windows Remote Access Connection Manager (RasMan)?

The Remote Access Connection Manager (RasMan) is a Windows service (rasmanp.dll) that manages VPN connections, dial-up networking, and Point-to-Point Protocol (PPP) sessions. It runs as a privileged service and provides RPC interfaces that applications use to create, configure, and monitor remote access connections. RasMan is present and running on all Windows systems, not just those actively using VPN features, because it is a core Windows networking service.

Overview

CVE-2025-59230 is an improper access control vulnerability (CWE-284) in the Windows Remote Access Connection Manager service that allows a locally authenticated low-privilege attacker to escalate privileges to SYSTEM. The vulnerability was patched in October 2025 Patch Tuesday, with CISA adding it to the KEV catalog the same day — indicating active zero-day exploitation before the patch was released. Microsoft stated no viable workarounds exist, making patching the only mitigation.

Affected Versions

Technical Details

The improper access control (CWE-284) is in RasMan's RPC/IPC interfaces — the mechanisms through which applications communicate with the service to request VPN connection management. RasMan runs with elevated privileges (SYSTEM or LocalSystem) and exposes privileged operations via these interfaces.

The access control flaw allows a low-privilege local attacker to invoke privileged RasMan operations without the expected authorization checks — either because the check is missing, bypassable, or incorrectly implemented. By manipulating RasMan's privileged operations, the attacker gains SYSTEM-level code execution.

Key characteristics:

• Local attack vector — the attacker must have a local account on the target system (achievable via phishing, malware, or RDP)
• Low privilege required (PR:L) — any standard user account suffices
• No user interaction needed (UI:N) — exploitable silently
• Low attack complexity (AC:L) — a reliable, stable exploit is straightforward
• SYSTEM-level access enables full system compromise, credential extraction, and lateral movement

Discovery

Microsoft MSTIC identified zero-day exploitation before October 2025 Patch Tuesday. Specific reporter attribution not publicly disclosed.

Exploitation Context

Microsoft confirmed active zero-day exploitation and added to the KEV catalog on October 14, 2025 — patch day itself. Microsoft explicitly stated that no viable workarounds exist; the only mitigation is applying the October 2025 cumulative update. Local privilege escalation vulnerabilities like this are the second stage of attacks: after an initial foothold (phishing, malware, compromised credentials) provides a standard user context, the LPE enables full control over the system.

Remediation

1. Apply the October 2025 cumulative update for your Windows version. No workarounds exist — patching is the only fix. The CISA deadline was November 4, 2025.
2. Prioritize systems with multiple local users or RDP-accessible systems — these have the highest likelihood of low-privilege attacker presence.
3. Audit for signs of exploitation: look for unexpected SYSTEM-privileged processes spawned from user-context processes in Windows Event Log (Event ID 4688) before the patch date.
4. Enable Windows Defender Credential Guard and virtualization-based security — these reduce the impact of SYSTEM-level compromises on credential theft.
5. Review RDP access — ensure only authorized users have RDP access to Windows systems; restrict RDP with firewall rules and require MFA.