CVE-2025-59230
rasman.sys -- Remote Access Connection Manager elevation of privilege, exploited in the wild
Exploited in the Wild
Actively exploited zero-day. Patched October 2025. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | rasman.sys (Remote Access Connection Manager) |
| Vulnerability Class | Elevation of Privilege |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | October 14, 2025 |
Root Cause
CVE-2025-59230 was one of the actively exploited zero-days addressed in Microsoft's October 2025 Patch Tuesday. The Remote Access Connection Manager service driver handles RAS (Remote Access Service) connection establishment, VPN configuration, and dial-up networking on Windows systems.
The exact root cause has not been publicly detailed beyond Microsoft's advisory. What is known is that the driver mishandles input during RAS connection processing in a way that allows a local attacker to escalate to SYSTEM. The vulnerability was discovered through active exploitation, indicating that threat actors had developed a working exploit before the patch was available.
RAS connection handling involves parsing connection parameters, managing authentication state, and coordinating with network interfaces. The service runs with SYSTEM privileges to perform these operations, making any input validation flaw in the connection handling path a potential SYSTEM escalation vector.
CISA added CVE-2025-59230 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch within the prescribed timeline.
Exploitation
The in-the-wild exploitation details have not been fully disclosed. Based on what is publicly known, a local attacker triggers the vulnerability through crafted RAS connection operations. The specific operations exploit the validation gap in the connection handling path to achieve SYSTEM-level privilege escalation.
The fact that this was an actively exploited zero-day means that working exploit code exists in threat actor toolkits. The exploitation was observed in targeted attacks, though the specific threat actors and campaigns have not been publicly attributed.
Exploitation Primitive
Crafted RAS connection operation -> validation flaw in rasman.sys
-> privilege escalation -> SYSTEM
Broader Significance
Zero-days in the Remote Access Connection Manager service are unusual. RAS is a legacy Windows service that predates modern VPN solutions, but it remains present and running on all Windows systems for backward compatibility. The fact that threat actors invested in weaponizing a vulnerability in this relatively obscure service suggests either opportunistic discovery or deliberate targeting of under-scrutinized attack surfaces. For defenders, this is a reminder that legacy services that ship enabled-by-default are attractive targets precisely because they receive less security research attention than high-profile components like Win32K or CLFS.