EUVD-2025-17764CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
Improper privilege management in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
AnalysisAI
Privilege escalation vulnerability in Windows Remote Access Connection Manager that allows an authenticated local attacker to elevate privileges to a higher integrity level without user interaction. The vulnerability affects Windows systems with Remote Access Connection Manager enabled and has a CVSS score of 7.8 (High severity). While no active exploitation in the wild has been publicly confirmed at this time, the local attack vector combined with low complexity and no user interaction requirement makes this a significant risk for multi-user or compromised systems where an attacker already has local access.
Technical ContextAI
Windows Remote Access Connection Manager (RAS Connection Manager) is a system service responsible for managing remote access connections including VPN, dial-up, and broadband connections. The vulnerability stems from improper privilege management (CWE-269), which indicates insufficient validation or enforcement of privilege boundaries when handling connection operations. This likely involves a flaw in how the service validates caller privileges before performing sensitive operations that require elevated access, potentially through COM interfaces, RPC endpoints, or named pipes that the service exposes. The issue exists in the authentication/authorization layer where the service fails to properly verify that a caller with limited privileges (PR:L) should not be able to perform actions reserved for system or administrative contexts. The attack likely leverages legitimate RAS APIs or interfaces that the service exposes to local users, but with insufficient privilege checks.
RemediationAI
- Apply the security patch released by Microsoft for CVE-2025-47955 to all affected Windows systems immediately, prioritizing: VPN servers, Remote Access servers, and systems in high-privilege environments. 2. Check Microsoft Security Update Guide (portal.msrc.microsoft.com) for specific KB articles corresponding to your Windows version/build. 3. Temporary mitigations pending patch deployment: (a) Restrict local user access through Group Policy and account management, removing unnecessary local accounts; (b) Disable Remote Access Connection Manager service (rasman) if not required for business operations using 'net stop rasman' and setting startup to Disabled in services.msc; (c) Monitor security event logs for RAS-related activity and privilege escalation attempts (Event ID 4672, 4673); (d) Implement application whitelisting to restrict execution of tools that might be used to exploit the vulnerability; (e) Enable Windows Defender Exploit Guard attack surface reduction rules. 4. Validate patch deployment across your infrastructure. 5. Review Microsoft advisory for any additional guidance specific to your environment.
More from same product – last 7 days
{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows pat
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil
Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal
Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-
Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti
Share
External POC / Exploit Code
Leaving vuln.today