Full Report
Exploit hasn't been picked up by any malware detection engines, CEO tells The Reg A Microsoft zero-day vulnerability that allows an unprivileged user to crash the Windows Remote Access Connection Manager (RasMan) service now has a free, unofficial patch - with no word as to when Redmond plans to release an official one - along with a working exploit circulating online.…
Analysis Summary
# Vulnerability: Windows RasMan Denial of Service (DoS) Zero-Day
## CVE Details
- CVE ID: Not yet assigned (Reported in relation to CVE-2025-59230 activity)
- CVSS Score: Not publicly scored yet (DoS vulnerability)
- CWE: CWE-835 (Incorrect Loop Condition) or similar (Improper handling of circular linked lists)
## Affected Systems
- Products: Microsoft Windows operating systems
- Versions: All Windows versions (Implied, as the flaw is reported in an unpatched service)
- Configurations: Systems utilizing the Windows Remote Access Connection Manager (RasMan) service.
## Vulnerability Description
This is an unpatched zero-day vulnerability in the Windows Remote Access Connection Manager (RasMan) service. The flaw resides in how the service processes circular linked lists. Specifically, the service fails to correctly exit a traversal loop when a pointer is null, leading to an improper loop condition. This condition results in a memory access violation, causing the RasMan service to crash (Denial of Service). This crash is often exploited in tandem with CVE-2025-59230 (a privilege escalation vulnerability) to release an RPC endpoint, allowing the execution of the primary exploit chain.
## Exploitation
- Status: PoC available (Working exploit circulating online)
- Complexity: Low (An unprivileged user can trigger the crash)
- Attack Vector: Local (Implied, as it allows an unprivileged user)
## Impact
- Confidentiality: Potential Indirect Impact (If used to facilitate a local escalation exploit)
- Integrity: Potential Indirect Impact (If used to facilitate a local escalation exploit)
- Availability: High (Guaranteed crash of the critical RasMan service)
## Remediation
### Patches
- Official Vendor Patch: None available at the time of reporting. Microsoft has not yet released a fix.
- Unofficial Patch: A free, unofficial micropatch is available from 0patch for immediate mitigation.
### Workarounds
- No explicit workarounds provided in the context, other than the application of the unofficial micropatch. Disabling the RasMan service might mitigate the immediate crash but would also break remote access functionality.
## Detection
- Status: Undetected by standard engines. A key observation is that the "working exploit... has not been detected as malicious by any malware detection engines."
- Detection methods and tools: Currently relies on monitoring unusual crashes or termination signals for the RasMan service, or utilizing the unofficial micropatch provider's monitoring capabilities.
## References
- Vendor advisories: None yet from Microsoft regarding this specific DoS flaw. (CVE-2025-59230 advisory may be relevant for context).
- Relevant links - defanged:
- Security research blog detailing the flaw and patch: `blog[dot]0patch[dot]com/2025/12/free-micropatches-for-windows-remote[dot]html`