CVE-2025-59230 Actively Exploited Vulnerability Patched, But Risk Remains
The CVE-2025-59230 vulnerability, which was fixed as part of Microsoft‘s October 2025 Patch Tuesday update, was a 0-day vulnerability discovered and actively exploited in the Remote Access Connection Manager (RasMan) component of Windows.
The vulnerability was due to a local privilege escalation (EoP) flaw that allowed attackers to gain “SYSTEM” level privileges from a low-privilege user account.
Microsoft has released a patch to close this vulnerability; however, systems that have not been patched are still at serious risk.
Technical Details
| CVE ID | CVE-2025-59230 |
| Component | Remote Access Connection Manager (RasMan) |
| Vulnerability Type | Improper Access Control → Local Privilege Escalation |
| CVSS Score | 7.8 (High) |
| Exploit Status | Confirmed active exploitation |
| Patch Status | Released by Microsoft on October 14, 2025 |
This vulnerability stems from the incorrect implementation of access control mechanisms within the RasMan service. After logging in to the system with a user account that already has limited privileges, an attacker can manipulate the RasMan process with specially crafted commands to run processes with SYSTEM privileges.
Importance for Threat Actors
Such local privilege escalation vulnerabilities facilitate the most critical step for attackers after initial access — strengthening persistence and lateral movement.
For ransomware groups, vulnerabilities like CVE-2025-59230 are highly valuable. Access gained with low privileges can be upgraded to “full privileges” within seconds. This shortens the attack chain and initiates the encryption process much faster.
For state-sponsored threat actors (APT groups), this vulnerability is used for persistence and data exfiltration to achieve more insidious goals.
CISA added this vulnerability to its “Known Exploited Vulnerabilities (KEV)” list, warning that systems in the defense, energy, and public sectors could be targeted.
MITRE ATT&CK TTP Mapping
| Procedure | Tactic | Technic |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 |
| Defense Evasion | Abuse Elevation Control Mechanism | T1548 |
| Persistence | Create or Modify System Process | T1543 |
| Lateral Movement | Pass the Hash / Remote Service Execution | T1075 / T1021 |
Attack Chain (Possible Scenario)
- Initial Access: Foothold is gained on the system through phishing, RDP brute-force, or exploiting weak passwords.
- EoP Exploitation: User privileges are increased to SYSTEM level using RasMan 0-day.
- Persistence: The attacker creates new services or scheduled tasks on the system.
- Lateral Movement: Using the obtained credentials, the attacker moves to other systems within the network.
- Impact: Encryption by ransomware, data leakage or disruption of critical services.
Exploit Chain Diagram Sample
Impact Assessment
This vulnerability is significant because an attacker can quickly bypass defenses once they gain access.
If a local user account can be granted SYSTEM privileges, antivirus, EDR, or access restrictions may no longer be sufficient to stop the attacker. This makes CVE-2025-59230 one of the most critical steps in the attack chain.
Detection and Hunting Suggestions
1- Search the system logs for:
Event ID 7036 or 7045 (Service start/stop).
Event ID 1 (Process Create) Suspicious commands starting directly from the rasman.exe process.
2- If you are using Sysmon:
Unusual DLL loads in the RasMan process under Event ID 7 (Image Load).
3- EDR/SIEM rule recommendation:
ProcessCreate
| where ParentProcessName != "services.exe"
| where Image contains "rasman.exe"
| where CommandLine contains ("schtasks" or "reg add")
Suggested Mitigations
- Apply the patch now.
Microsoft’s October 14, 2025 security update closes this vulnerability. - Temporarily disable the RasMan service (if not used in your environment):
sc stop rasman
sc config rasman start=disabled - Retro-Hunt:
Scan for unusual activity in the RasMan service by checking the last 30 days of logs and EDR data. - Strengthen authorization management:
Restrict local administrator accounts.
Mandate the use of LAPS and MFA. - User awareness:
Share a quick announcement to raise awareness of phishing campaigns.
With its history of exploitation, CVE-2025-59230 appears poised to become one of the most critical Windows vulnerabilities of 2025. While the patch released by Microsoft mitigates the risk, the threat remains unless patched.
