Analysis

ACROS Security disclosed an unpatched Windows zero-day that allows unprivileged users to crash the Remote Access Connection Manager (RasMan) service across Windows 7–11 and Windows Server 2008 R2–Server 2025 by exploiting a null-pointer handling bug when traversing circular linked lists. The flaw was found while investigating CVE-2025-59230 (a privilege-escalation vulnerability patched in October); combined with that or similar elevation flaws, the denial-of-service bug provides the missing capability to impersonate RasMan and potentially achieve code execution when RasMan is not running. RasMan runs with SYSTEM privileges and manages VPN and PPPoE connections, so successful exploitation presents an immediate risk to enterprise remote-access infrastructure and increases the attack surface for privilege escalation across both supported and legacy Windows deployments. The vulnerability remains unassigned a CVE and unpatched by Microsoft, leaving organizations exposed until an official fix or stable enterprise mitigation is broadly deployed. ACROS is distributing free 0Patch micropatches that require creating an account and installing an agent; this offers rapid remediation but introduces operational, compatibility, and policy considerations around reliance on unofficial fixes. Market signals show moderately negative sentiment with a -0.6 score for MSFT and a market impact score of 0.45, implying short-term reputational and support-cost pressure for Microsoft and potential demand upside for third-party security and managed-patching vendors.