Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-59230

Published 2025-10-14
Updated 5 months ago
Vendor/s
Microsoft
Product/s
Windows
Version/s
* > 10.0.10240.21161
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7.8
/ 10
High
Severity Details
Base score
7.8 High
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2025-59230 is a high-severity privilege escalation vulnerability in Windows Remote Access Connection Manager under active exploitation.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
windows_10_1507 * 10.0.10240.21161 vulnerable
windows_10_1507 * 10.0.10240.21161 vulnerable
windows_10_1607 * 10.0.14393.8519 vulnerable
windows_10_1607 * 10.0.14393.8519 vulnerable
windows_10_1809 * 10.0.17763.7919 vulnerable
windows_10_1809 * 10.0.17763.7919 vulnerable
windows_10_21h2 * 10.0.19044.6456 vulnerable
windows_10_22h2 * 10.0.19045.6456 vulnerable
windows_11_22h2 * 10.0.22621.6060 vulnerable
windows_11_23h2 * 10.0.22631.6060 vulnerable
windows_11_24h2 * 10.0.26100.6899 vulnerable
windows_11_25h2 * 10.0.26200.6899 vulnerable
windows_server_2008 - - vulnerable
windows_server_2008 - - vulnerable
windows_server_2008 r2 r2 vulnerable
windows_server_2012 - - vulnerable
windows_server_2012 r2 r2 vulnerable
windows_server_2016 * 10.0.14393.8519 vulnerable
windows_server_2019 * 10.0.17763.7919 vulnerable
windows_server_2022 * 10.0.20348.4294 vulnerable
windows_server_2022_23h2 * 10.0.25398.1913 vulnerable
windows_server_2025 * 10.0.26100.6899 vulnerable

Related weakness (CWE)

CWE-284

Remediation plan

1

Apply official patches

Download and install the latest security updates from the Microsoft Security Response Center (MSRC) specifically addressing the Remote Access Connection Manager (RASMAN) service for your specific Windows version.

2

Update affected systems

Ensure Windows 10 (versions 1507 to 22H2), Windows 11 (22H2 to 24H2), and Windows Server (2008 to 2025) are updated beyond the vulnerable build numbers, such as 10.0.22631.6060 for Windows 11 23H2 or 10.0.26100.6899 for Windows 11 24H2.

3

Restrict access

Implement the principle of least privilege (PoLP) to limit local user permissions and restrict access to the RASMAN service components and associated registry keys to only authorized administrative accounts.

4

Monitor for exploitation

Audit Windows Event Logs for unusual service start/stop events related to 'RasMan' (Event IDs 7036, 7045) and monitor for unexpected process spawning with SYSTEM privileges originating from local user sessions.

Detection Guidance

Detection should focus on monitoring the Windows Remote Access Connection Manager (RasMan.dll). Look for Event ID 7036 or 7045 in the System log indicating unexpected service manipulation. Additionally, use EDR tools to flag suspicious child processes of svchost.exe (running the RasMan service) that exhibit privilege escalation characteristics. Monitor for unauthorized modifications to registry keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59230 Vendor Advisory https://www.vicarius.io/vsociety/posts/cve-2025-59230-detection-script-elevation-of-privilege-vulnerability-affecting-windows-rasman Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2025-59230-mitigation-script-elevation-of-privilege-vulnerability-affecting-windows-rasman Mitigation Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59230 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial