Analysis

Researchers at 0patch disclosed an unpatched zero-day that crashes the Windows Remote Access Connection Manager (RasMan) service via a null-pointer bug in circular linked-list processing, a condition the firm says is used alongside Microsoft’s previously fixed CVE-2025-59230 privilege-escalation exploit to achieve SYSTEM privileges. RasMan manages VPN and remote network connections, and the exploit requires stopping RasMan to free an RPC endpoint, enabling local privilege escalation and service disruption. 0patch has issued an unofficial, free micropatch (available via a 0patch Central trial) after notifying Microsoft, but the new DoS flaw has not been assigned a CVE, remains unpatched across Windows versions, and Microsoft has not provided public feedback. The working exploit is publicly downloadable and reportedly undetected by malware detection engines, increasing the practical attack surface in the near term. Implications for enterprise security include elevated risk of VPN/service outages and local takeover attempts until Microsoft issues an official patch and security vendors update detections; occupational exposure is highest for organizations relying on Windows-hosted VPN endpoints. Market signals show a mildly negative sentiment (article-level score -0.25 and MSFT per-ticker -0.3), implying short-term reputational and support-cost risks for Microsoft but no direct evidence yet of widespread in-the-wild exploitation.