Free Micropatches for Windows Remote Access Connection Manager DoS (0day)

 

During our investigation of CVE-2025-59230, a Windows Remote Access Connection Manager elevation of privilege vulnerability that was patched by Microsoft with October 2025 Windows updates, we found an exploit for it that nicely demonstrated local arbitrary code execution as Local System when launched as a non-admin Windows user.

Interestingly though, this exploit - while exploiting CVE-2025-59230 - also included an exploit for another vulnerability that turned out to have remained unpatched to this day. Let's take a closer look.

CVE-2025-59230 is a fairly simple vulnerability, conceptually similar to CVE-2025-49760, which we had recently patched. Upon startup, the Remote Access Connection Manager ("RasMan") service registers an RPC endpoint that other services subsequently connect to and trust. The vulnerability lies in the fact that when RasMan is not running, any process - even attacker's unprivileged exploit - can register the same RPC endpoint and have privileged services connect to it and trust its responses. This trust can be abused to instruct a connecting service to execute attacker's code.

So much for CVE-2025-59230. But you probably noticed the "when RasMan is not running" part; the RasMan service usually gets stared automatically upon Windows startup (even though it may be configured as "manual" on Windows 11), and even a scheduled task created by a local attacker would not be quick enough to find it in a "not running" state and outrun it towards registering its RPC endpoint.

Consequently, a working exploit must therefore be able to (also) stop the RasMan service to release said RPC endpoint. And this was the second, non-obvious vulnerability that the CVE-2025-59230 exploit we had found utilizes: one that allows an unprivileged user to crash the RasMan service. Without this capability, CVE-2025-59230 could hardly be exploited. 

We alerted Microsoft about this issue; they will likely provide an official patch for still-supported Windows versions in one of future Windows updates.

The Vulnerability  

We traced the vulnerability to a flawed coding logic, whereby a circular linked list is being traversed in a loop, and the loop is exited if the current element of the list points to the first element, meaning that the entire list has been traversed. Inside the loop, the pointer to the current element is compared with NULL - which is a reasonable sanity check. If the pointer is not NULL, some value of the current element is read and can potentially also exit the loop. But if the pointer is NULL...

... the loop is not exited - rather, the execution continues by reading the pointer to the next list element from this NULL pointer. This causes memory access violation and crashes the RasMan service.

Let's look at the vulnerable code on the latest Windows 11 version. The image below shows the code traversing the linked list, including a flawed sanity check. 

To be fair, it's easy to imagine how this error was made: when expecting a circular linked list, this function could - justifiably - rely on whoever had built the list to have done it properly, guaranteeing that each element will point to an actual next element, not NULL. The programmer here was extra cautious to have decided to add a check for a NULL pointer. However, this check probably could never have been tested for correctness because in test cases, all linked lists have been valid and did not contain elements pointing to NULL.

What the check should have done is exit the loop if a NULL were encountered.

 

Our Patch

Our patch does exactly that. As shown on the image below, our patch (code added in blue and green code blocks) injects another check for a NULL pointer that exits the loop.

 

 

Let's see the vulnerability and our patch in action. On the video you can see that with 0patch enabled., the exploit is able to crash the RasMan service, and with 0patch enabled, the crash does not occur. (Errata: the video highlights the "Remote Access Auto Connection Manager" instead of the "Remote Access Connection Manager".)

 

 

Micropatch Availability

Micropatches were written for the following security-adopted as well as still-supported Windows versions:

1. Windows 11 v25H2 - fully updated
2. Windows 11 v24H2 - fully updated
3. Windows 11 v23H2 - fully updated
4. Windows 11 v22H2 - fully updated
5. Windows 11 v21H2 - fully updated
6. Windows 10 v22H2 - fully updated
7. Windows 10 v21H2 - fully updated
8. Windows 10 v21H1 - fully updated
9. Windows 10 v20H2 - fully updated
10. Windows 10 v2004 - fully updated
11. Windows 10 v1909 - fully updated
12. Windows 10 v1809 - fully updated
13. Windows 10 v1803 - fully updated
14. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
15. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
16. Windows Server 2012 - fully updated with no ESU or ESU 1
17. Windows Server 2012 R2 - fully updated with no ESU or ESU 1
18. Windows Server 2016 - fully updated
19. Windows Server 2019 - fully updated
20. Windows Server 2022 - fully updated
21. Windows Server 2025 - fully updated

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in FREE, PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

As always, we included these 0day patches in our FREE plan until the original vendor has provided their official patch. 

Note that about 40% of our customers are using 0patch on still-supported Windows versions like Windows 11 25H2 and Server 2025 as an additional defense against 0days. 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support last October, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.