A Microsoft zero-day vulnerability that allows an unprivileged user to crash the Windows Remote Access Connection Manager (RasMan) service now has a free, unofficial patch – with no word as to when Redmond plans to release an official one – along with a working exploit circulating online.
Researchers from 0patch, the micropatching site, uncovered the denial-of-service (DoS) bug while investigating CVE-2025-59230, a Windows RasMan privilege escalation vulnerability that Redmond fixed in October, but not before attackers found and exploited the vulnerability.
RasMan is a critical Windows service that manages VPN and other remote network connections, and CVE-2025-59230 allows an authorized attacker to elevate privileges locally and gain SYSTEM privileges. It essentially takes advantage of the fact that when RasMan is not running, any process can impersonate RasMan and execute code on an RPC endpoint – a condition the exploit depends on.
The exploit is freely downloadable, so one can assume it has been and will be obtained by many interested parties, possibly including malicious actors
“Consequently, a working exploit must therefore be able to (also) stop the RasMan service to release said RPC endpoint,” ACROS Security CEO and 0patch co-founder Mitja Kolsek said in a Friday blog. “And this was the second, non-obvious vulnerability that the CVE-2025-59230 exploit we had found utilizes: one that allows an unprivileged user to crash the RasMan service. Without this capability, CVE-2025-59230 could hardly be exploited.”
This new vulnerability hasn’t yet been assigned a CVE and remains unpatched across all Windows versions. While Kolsek said he alerted the Windows giant about the security hole, “we have no feedback on patching from Microsoft,” he told The Register.
We also reached out to Microsoft about assigning a CVE and issuing a patch and didn’t receive a response.
Kolsek told us that, while his company has no evidence of this zero-day being exploited in the wild, “we did find a working exploit on