Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 15 December 2025 10:34
Windows services dedicated to remote connections have always been an inexhaustible source of “satisfaction” for those involved in cybersecurity, revealing vulnerabilities of enormous impact. Among the most famous examples is EternalBlue , discovered and kept secret for five years by the NSA, before being stolen by the Shadow Brokers group and used in the global WannaCry outbreak in 2017, which infected millions of computers and caused extensive damage to public institutions and private companies.
Another emblematic case was BlueKeep , a vulnerability in the Windows RDP service that allowed unauthenticated remote code execution on unpatched systems. These incidents demonstrate how remote connection management services can quickly become fertile ground for critical exploits, highlighting the strategic role of these components in the overall security of Windows systems.
An extremely serious security flaw exists in the Windows Remote Access Connection Manager (RasMan) service that allows attackers with local access to execute code of their choosing with system administrator rights.
While investigating the CVE-2025-59230 vulnerability, which Microsoft addressed in the October 2025 security updates, 0patch security specialists identified a complex set of exploits that rely on a secondary, previously unknown zero-day flaw to operate effectively.
The primary vulnerability, CVE-2025-59230, affects how the RasMan service handles RPC endpoints. Upon startup, the service registers a specific endpoint that other privileged services trust. 0patch researchers discovered that if RasMan is not running, an attacker can register this endpoint first. Once privileged services attempt to connect, they unknowingly communicate with the attacker’s process, allowing malicious commands to be executed.
However, exploiting this race condition is difficult because RasMan typically starts automatically at system startup, leaving attackers no window of opportunity to register the endpoint first. To circumvent this limitation, the discovered exploit exploits a second, unpatched vulnerability. This zero-day flaw allows an unprivileged user to intentionally crash the RasMan service.
The crash is caused by a logic error in the code related to a circular linked list. The service attempts to traverse the list but fails to handle NULL pointers correctly, resulting in a memory access violation.
By stopping the service, attackers can force it to stop, release the RPC endpoint, and then activate the CVE-2025-59230 exploit chain to gain access to the system. Microsoft has released official patches for the elevation of privilege vulnerability (CVE-2025-59230). However, the service crash vulnerability used to facilitate the attack had not yet been patched through official channels at the time of its discovery.
0patch has released micropatches to address this crash issue on supported platforms, including Windows 11 and Server 2025. Administrators are advised to immediately apply the October 2025 Windows Updates to mitigate the risk of root privilege escalation.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
Redazione