Microsoft RasMan DoS 0-day gets unofficial patch – and a working exploit
Summary
A newly discovered zero-day lets an unprivileged user crash the Windows Remote Access Connection Manager (RasMan) service, a condition used by a separate privilege-escalation exploit (CVE-2025-59230). Researchers at 0patch identified the denial-of-service bug while analysing the earlier RasMan privilege escalation and released a free, unofficial micropatch. The flaw stems from incorrect handling of circular linked lists that leads to a null pointer and a service crash. A working exploit for the DoS is circulating online and—according to 0patch—has not been detected by malware engines. Microsoft has been notified but has not yet issued an official patch or assigned a CVE for this new issue.
Key Points
- 0patch released a free unofficial micropatch to stop an exploit that can crash the RasMan service.
- The DoS bug is used in the wild alongside CVE-2025-59230 to enable local privilege escalation to SYSTEM.
- RasMan manages VPN and remote network connections; crashing it exposes systems to local attack chains.
- The root cause is faulty traversal of circular linked lists leading to a null-pointer memory access and service crash.
- A working exploit is publicly available and reportedly undetected by malware detection engines, increasing risk of abuse.
- Microsoft has been informed but has not published an official patch or provided feedback on CVE assignment for this specific DoS vulnerability.
- 0patch’s micropatch is available via a free trial on 0patch Central while awaiting an official vendor fix.
Why should I read this?
Short version: if you run Windows with VPNs or remote-access services, this matters. There’s a freely downloadable exploit that helps turn a crash into a full local escalation, and AVs might not spot it. The unofficial fix from 0patch is a quick stop-gap — read this so you know whether to patch, monitor, or isolate affected hosts right now.
Context and Relevance
This story sits at the intersection of two worrying trends: exploit code being published quickly and defensive tooling lagging behind vendor patches. RasMan is a core service for VPN/remote connectivity on many endpoints and servers; a DoS that aids privilege escalation raises immediate red flags for incident responders and system administrators. Organisations with remote-access infrastructure should weigh the trade-offs of applying a vendor-independent micropatch, hardening local privilege boundaries, and monitoring for suspicious processes that might stop RasMan and trigger the exploit chain.
Author’s note
Punchy take: this isn’t just another obscure crash — it’s the missing piece that makes an elevation exploit practical. If you’re responsible for endpoint or VPN security, treat this as urgent: test the 0patch fix if you can’t wait for Microsoft, and hunt for signs of the exploit being used in your environment.