Free unofficial patches are now accessible for a newly identified Windows zero-day vulnerability that enables attackers to crash the Remote Access Connection Manager (RasMan) service. This service is integral to Windows, automatically starting and running in the background with SYSTEM-level privileges, overseeing VPN, Point-to-Point Protocol over Ethernet (PPoE), and various remote network connections.
Details of the Vulnerability
ACROS Security, the organization behind the 0patch micropatching platform, uncovered this denial-of-service (DoS) flaw while investigating CVE-2025-59230, a previously patched privilege escalation vulnerability in RasMan. The new DoS zero-day has yet to receive a CVE ID and remains unaddressed across all Windows versions, from Windows 7 to Windows 11, including Windows Server 2008 R2 through Server 2025.
Researchers discovered that when this new flaw is combined with CVE-2025-59230 or similar elevation-of-privileges vulnerabilities, it allows attackers to execute code by impersonating the RasMan service—albeit only when RasMan is not actively running. This new flaw effectively completes a critical piece of the puzzle, enabling threat actors to crash the service at will, thereby reopening avenues for privilege escalation attacks that Microsoft believed had been secured.
Unprivileged users can exploit this zero-day due to a coding error in how RasMan processes circular linked lists. When the service encounters a null pointer during list traversal, it attempts to read memory from that pointer instead of exiting the loop, resulting in a crash.
In response to this vulnerability, ACROS Security is offering free, unofficial security patches for the RasMan zero-day through its 0Patch micropatching service. These patches are available for all affected Windows versions until Microsoft issues an official fix.
To implement the micropatch on a device, users must create an account and install the 0Patch agent. Once activated, the agent will automatically apply the micropatch without necessitating a restart, unless a custom patching policy restricts it.
Mitja Kolsek, CEO of ACROS Security, stated, “We alerted Microsoft about this issue; they will likely provide an official patch for still-supported Windows versions in one of future Windows updates. As always, we included these 0day patches in our FREE plan until the original vendor has provided their official patch.”
A Microsoft spokesperson was not immediately available for comment when approached by BleepingComputer earlier today.
