A new Windows zero-day vulnerability has been identified in the Remote Access Connection Manager (RasMan) service, enabling a local user to deliberately cause a denial-of-service (DoS) condition. While the bug is currently confirmed as a service-crash issue, it significantly increases the risk of chained attacks that may lead to privilege escalation to SYSTEM. Microsoft has not yet shipped an official patch, but Acros Security has released a temporary 0patch micropatch as an interim protection measure.
The flaw highlights once again how weaknesses in core Windows services, especially those running with high privileges, can be combined with other vulnerabilities to bypass defenses. Remote access and VPN services remain prime targets, particularly in corporate environments where RasMan is heavily used.
Why the RasMan Windows Zero-Day Matters for Remote Access Security
RasMan is a fundamental Windows service responsible for managing VPN connections, PPPoE sessions, and other remote access links. It starts automatically with the operating system and runs under the powerful SYSTEM account. When RasMan fails, it can disrupt VPN connectivity and remote access services, impacting users and critical workloads.
From a security perspective, any bug in a SYSTEM-level service is treated as high risk. Even if the immediate effect is “only” denial of service, DoS vulnerabilities frequently serve as a stepping-stone in multi-stage attacks. Once attackers gain a foothold on a system—through phishing, credential theft, or another exploit—they often leverage local vulnerabilities to escalate privileges and move laterally. Industry studies, including recurring findings from reports like the Verizon Data Breach Investigations Report, consistently show that misuse or compromise of privileged accounts is a factor in the majority of serious breaches.
Connection to CVE-2025-59230 and Combined Exploitation Scenarios
The newly disclosed RasMan bug was uncovered during a deeper analysis of CVE-2025-59230, a previously patched RasMan privilege escalation vulnerability that had already been exploited in the wild. While reviewing Microsoft’s fix for CVE-2025-59230, researchers at Acros Security identified a related but distinct issue that allows any local user to reliably crash the RasMan service.
Standing alone, this new zero-day is categorized as a DoS vulnerability. However, its strategic value emerges when combined with CVE-2025-59230 or other RasMan vulnerabilities. In some exploitation chains, successful privilege escalation is only possible when RasMan is not actively running. The new bug effectively gives an attacker the ability to force RasMan into a stopped or faulted state on demand, making it easier to exploit other weaknesses and potentially achieve code execution with SYSTEM privileges.
Technical Root Cause: Null Pointer Dereference in Cyclic Linked Lists
The underlying cause of the vulnerability lies in RasMan’s handling of cyclic linked lists—a common in-memory data structure. Under specific conditions, the service encounters a null pointer and attempts to read data from an invalid memory address. This triggers an exception at the process level, resulting in an unhandled crash and termination of the RasMan service.
Null pointer dereference vulnerabilities are a classic class of memory safety issues. In some contexts they only lead to service instability or DoS. In others, if an attacker can influence the layout and contents of memory, similar coding flaws can evolve into full privilege escalation or remote code execution exploits. For the RasMan bug currently under discussion, only the DoS scenario has been demonstrated, but that is already sufficient to enable more reliable exploitation of other RasMan-related flaws.
Affected Windows Versions and Zero-Day Status
According to Acros Security’s analysis, the RasMan vulnerability affects a wide range of supported and legacy Windows versions, including:
— Client systems: Windows 7 through Windows 11
— Server systems: Windows Server 2008 R2 through Windows Server 2025
The issue has not yet been assigned an official CVE identifier, which is typical for zero-day vulnerabilities at an early disclosure stage. Microsoft has been notified and is working on an official fix that will be integrated into its regular security update cycle.
0patch Micropatch: Temporary Protection Before Microsoft’s Update
While waiting for a formal update from Microsoft, Acros Security has released free, unofficial micropatches via the 0patch platform. To use them, administrators must create a 0patch account and install the 0patch agent. The agent dynamically injects the micropatch into the affected process in memory, typically without requiring a system reboot.
Microsoft has acknowledged the underlying problem and indicated that systems with the latest October Windows security updates are already protected against exploitation paths related specifically to privilege escalation. However, until an official fix is issued, the DoS aspect of the RasMan vulnerability remains exploitable, making the 0patch solution a relevant short-term mitigation, especially in environments with heavy VPN and remote access usage.
Security Recommendations for Windows Administrators
Organizations and advanced users should evaluate whether to deploy the 0patch RasMan micropatch, particularly on systems that play a critical role in remote access, VPN concentrators, or administrative jump hosts. As with any third-party patch, it is advisable to perform testing in a staging or pilot environment before broad rollout.
In addition, the following measures can help reduce risk while awaiting Microsoft’s official fix:
- Restrict local access: Limit interactive logon and local user access to servers and high-value workstations to reduce opportunities for local exploitation.
- Enhance monitoring: Closely monitor logs and alerts related to RasMan service failures, crashes, or repeated restarts, which may indicate attempted exploitation or reconnaissance.
- Stay fully patched: Ensure that all current cumulative Windows security updates—including the latest October releases—are deployed across supported systems.
- Harden remote access: Apply strong authentication for VPNs (such as MFA), restrict access based on role and network segment, and regularly review remote access policies.
- Prepare incident response: Include service crashes in core components like RasMan in incident triage procedures so potential exploitation is investigated rather than dismissed as a mere stability issue.
New vulnerabilities in foundational Windows services such as RasMan underscore the importance of a layered, proactive security strategy: timely patching, continuous monitoring, least-privilege access, and the readiness to deploy interim protections like micropatches when appropriate. Organizations that closely track vendor advisories and independent research are better positioned to react quickly, limit attackers’ options, and maintain the resilience of their remote access infrastructure.
