A new zero-day denial-of-service (DoS) vulnerability in the Windows Remote Access Connection Manager (RasMan) service has been disclosed, allowing unprivileged attackers to crash the service and potentially disrupt VPN, dial-up, and remote access connections on affected systems. This flaw was discovered by ACROS Security researchers while investigating a previously patched privilege escalation bug (CVE-2025-59230) in the same component.

Unlike CVE-2025-59230, which was addressed in Microsoft’s October 2025 Patch Tuesday updates, this DoS issue remains unpatched by Microsoft and has not yet been assigned a CVE identifier. It affects all supported Windows versions, including:

•  Windows 7, 8, 8.1, 10, and 11

•  Windows Server 2008 R2 through Server 2025

The vulnerability stems from a coding error in how RasMan processes circular linked lists. When traversing the list, the service encounters a null pointer but fails to exit the loop—instead, it attempts to read memory from the invalid pointer, triggering an access violation and crashing the RasMan process.

Exploitation and Impact

•  Exploitation: Local attackers with unprivileged access can trigger the crash remotely or locally via malformed network requests that manipulate RasMan’s linked list handling. A proof-of-concept (PoC) exploit has been developed but not publicly released.

•  Severity: Rated as high (likely CVSS 7.5+ once scored), primarily due to its DoS impact, which could lead to service outages in enterprise environments reliant on RasMan for remote connectivity. No privilege escalation or code execution is involved, but repeated crashes could enable broader disruption.

•  In the Wild?: No confirmed active exploitation reports as of December 12, 2025, but its simplicity makes it a low-barrier target for attackers.

Microsoft has been notified but has not issued a patch or timeline for one. RasMan has been a recurring target, with over 20 flaws patched since January 2022, including the recent zero-day CVE-2025-59230 exploited for privilege escalation.

Unofficial Patches Available

In the absence of an official fix, ACROS Security has released free micropatches through its 0Patch platform, which applies binary-level fixes without reboots or full updates. These patches are available immediately for all affected Windows versions and are included in 0Patch’s free tier until Microsoft provides an official patch.

•  How to Apply:

1.  Sign up for a free 0Patch account at 0patch.com.

2.  Download and install the 0Patch agent.

3.  The micropatch will auto-apply to RasMan—no manual intervention needed.

•  Coverage: Fully supports end-of-life versions (e.g., Windows 7/Server 2008 R2) where Microsoft no longer provides updates.

•  Risks of Unofficial Patches: While 0Patch has a strong track record (thousands of micropatches deployed without issues), applying third-party fixes carries inherent risks like compatibility conflicts or incomplete coverage. Users should test in non-production environments first. ACROS emphasizes these are temporary mitigations.

For the latest updates, monitor Microsoft’s Security Update Guide or subscribe to 0Patch notifications. If you’re in a high-risk environment (e.g., heavy VPN use), consider disabling unnecessary RasMan features as a short-term workaround, though this may impact functionality.