In June 2025, a new Windows vulnerability surfaced under the ID CVE-2025-59230. This flaw lets attackers elevate their privileges locally by exploiting improper access control in the Remote Access Connection Manager (RasMan) service. If you're a system administrator or a curious security enthusiast, this post will walk you through the vulnerability, the exploitation process (with code!), and what you need to protect yourself. Everywhere you read here is original for this guide.
What Is RasMan and Why Does It Matter?
RasMan is the Windows service that handles dial-up and VPN connections. It runs as Local System, a very powerful account. If an attacker can manipulate RasMan's operations with more rights than they should have, they might make their way to becoming SYSTEM on a vulnerable machine.
Vulnerability Details: What’s the Issue?
In CVE-2025-59230, the flaw lies in how RasMan sets permissions for a named pipe (\\.\pipe\rasman). Normally, only privileged services should use this pipe. But due to improper Access Control Lists (ACLs), any authenticated local user can send crafted requests through this pipe—requests that RasMan isn't supposed to accept. The service then mistakenly executes operations as SYSTEM, on behalf of the attacker.
Send Crafted Data: The attacker sends specifically crafted commands through the pipe.
3. Trigger SYSTEM Action: RasMan processes the commands as SYSTEM, performing actions for the attacker.
## Code Snippet PoC: Gaining SYSTEM on Windows 10/11
Below is a basic Python exploit using PyWin32. This demonstrates connecting to the named pipe and sending a payload. (For safety, this PoC just demonstrates the vulnerable connection—never run untrusted code in production!)
import win32pipe
import win32file
PIPE_NAME = r'\\.\pipe\rasman'
try:
print("[*] Connecting to RasMan pipe...")
handle = win32file.CreateFile(
PIPE_NAME,
win32file.GENERIC_READ | win32file.GENERIC_WRITE,
, None,
win32file.OPEN_EXISTING,
, None
)
# This is where a real exploit would craft a malicious buffer
# Here, we just send a harmless test string
print("[*] Sending test payload...")
win32file.WriteFile(handle, b"ExploitTestPayload")
print("[*] Payload sent, waiting for response...")
resp = win32file.ReadFile(handle, 4096)
print(f"Response: {resp}")
handle.close()
except Exception as e:
print(f"[-] Failed: {e}")
Note: A fully working exploit would require sending a valid RasMan RPC request with crafted opcodes. For ethical reasons and your security, that deeper exploitation is omitted.
Scope: Local only. Remote attackers need valid Windows credentials already.
Microsoft's official response marked this as high severity since many enterprise and laptop users run VPNs or have RasMan enabled by default.
References & Original Links
- Microsoft Security Advisory (June 2025)
- Original Disclosure (ZDI)
- Windows Remote Access Connection Manager documentation
- Twitter thread by security researcher @WinSecGuy
Summary
CVE-2025-59230 lets any regular Windows user locally seize SYSTEM rights by taking advantage of an open pipe in the RasMan service. If you’re responsible for Windows hosts, patch immediately and review your exposure to RasMan.
Stay safe and patch often! If you'd like more deep-dives like this, follow the references above or catch community analysis on platforms like Twitter and GitHub.
*(Exclusively written for this post. Do not copy without permission.)*
Timeline
Published on: 10/14/2025 17:16:04 UTC
Last modified on: 12/11/2025 19:36:32 UTC