CVE-2025-59230

rasman.sys — Remote Access Connection Manager elevation of privilege

Exploited in the Wild

Actively exploited zero-day. Patched October 2025. Added to CISA KEV.

Summary

Field	Value
Driver	rasman.sys (Remote Access Connection Manager)
Vulnerability Class	Elevation of Privilege
CVSS	7.8
Exploited ITW	Yes
Patch Date	October 14, 2025

Root Cause

The Remote Access Connection Manager service driver mishandles input during RAS connection handling, and a local attacker can escalate to SYSTEM. The exact root cause has not been publicly detailed beyond Microsoft's advisory.

Exploitation

A local attacker triggers the vulnerability through crafted RAS connection operations. The bug grants SYSTEM-level privilege escalation.

Exploitation Primitive

Crafted RAS connection operation → improper validation
  → privilege escalation → SYSTEM

References

• MSRC Advisory
• HelpNet Security — October 2025 Patch Tuesday