Windows RasMan Zero-Day Enables Service Crash and Privilege Escalation
A newly discovered zero-day vulnerability in the Windows Remote Access Connection Manager (RasMan) service allows unprivileged users to crash the service, creating a denial-of-service (DoS) condition. This flaw, which has not yet been assigned a CVE or received an official Microsoft patch, was uncovered by ACROS Security while investigating a previously patched privilege escalation vulnerability (CVE-2025-59230). The new DoS vulnerability is critical because it enables attackers to stop the RasMan service, which is a prerequisite for exploiting certain privilege escalation bugs. A working exploit for this zero-day is publicly available, and free unofficial patches have been released by the 0patch platform to mitigate the risk until Microsoft issues an official fix.
The vulnerability affects all supported Windows versions, from Windows 7 through Windows 11 and Windows Server 2008 R2 through Server 2025. The exploit leverages a coding error in RasMan's handling of circular linked lists, causing the service to crash when a null pointer is encountered. This crash can be triggered by any unprivileged user, potentially allowing attackers to combine the DoS with other privilege escalation vulnerabilities to gain SYSTEM-level access. Microsoft has not yet responded to requests for comment or provided a timeline for an official patch, leaving organizations reliant on third-party mitigations in the interim.
Related Entities
Vulnerabilities
Sources
Related Stories
Microsoft Patches Windows RasMan DoS and Windows Error Reporting Privilege Escalation
Microsoft released fixes for multiple Windows local vulnerabilities affecting core services used in enterprise environments. One issue in the **Remote Access Connection Manager (RasMan)** service was exploited to trigger a local **denial-of-service (DoS)** by crashing the remote access service, which can disrupt **VPN connectivity** and interrupt remote access workflows on unpatched systems; Microsoft described the condition as allowing an “unauthorized attacker to deny service locally.” Separately, Microsoft patched **CVE-2026-20817**, a **Windows Error Reporting Service** (*wersvc.dll*) local privilege escalation that can allow a standard user to obtain **SYSTEM-level** execution via ALPC messaging and insufficient authorization checks in request handling (notably around `CWerService::SvcElevatedLaunch`). Reporting indicates the service could be coerced into creating a new token derived from the WER service’s SYSTEM token (with `SeTcbPrivilege` removed but other powerful rights retained), enabling high-impact post-exploitation actions such as credential theft and full host takeover; a **proof-of-concept (PoC)** was also reported as available.
1 months agoActive Exploitation of Patched Windows SMB Client Vulnerability CVE-2025-33073
A critical vulnerability in the Windows SMB client, tracked as CVE-2025-33073, is being actively exploited by threat actors months after Microsoft released a patch. The flaw, which affects Windows 10, Windows 11 (up to version 24H2), and all supported versions of Windows Server, was initially addressed in Microsoft's June 2025 Patch Tuesday update. The vulnerability allows attackers to escalate privileges to SYSTEM level by coercing a victim machine to connect to a malicious SMB server, where the protocol can be compromised. Attackers can exploit this by executing a specially crafted script or convincing users to run such a script, leading to authentication with the attacker's server and subsequent compromise. Security researchers from organizations including CrowdStrike, Synacktiv, GuidePoint Security, BNP Paribas, SySS GmbH, RedTeam Pentesting GmbH, and Google Project Zero contributed to the discovery and public disclosure of the flaw. Some researchers have highlighted that the vulnerability bypasses NTLM reflection mitigations and can be used for authenticated remote command execution, not just privilege escalation as initially described by Microsoft. Technical details and proof-of-concept exploits have been published, increasing the risk of widespread exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-33073 to its Known Exploited Vulnerabilities (KEV) catalog on October 20, 2025, confirming active exploitation in the wild. CISA has mandated that all US federal civilian agencies apply the patch or remove vulnerable systems from operation by November 10, 2025, under Binding Operational Directive 22-01. While this directive is specific to federal agencies, CISA has strongly urged all organizations to remediate the vulnerability immediately due to the ongoing attacks. The vulnerability was publicly disclosed at the time of patch release, but exploitation was not observed until months later, underscoring the importance of timely patch management. Microsoft has not yet issued a public statement regarding the active exploitation. The flaw's ability to bypass existing mitigations and enable remote command execution makes it particularly dangerous for enterprise environments. Organizations that have not yet applied the June 2025 patch remain at significant risk of compromise. The ongoing exploitation highlights the persistent threat posed by delayed patching and the rapid weaponization of disclosed vulnerabilities. Security teams are advised to prioritize remediation and monitor for signs of exploitation related to CVE-2025-33073.
4 months ago
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months ago