CVE-2025-47955
📋 TL;DR
This vulnerability in Windows Remote Access Connection Manager allows authenticated attackers to escalate privileges on a local system. Attackers with standard user access can gain SYSTEM-level privileges, potentially taking full control of affected Windows machines. This affects systems running vulnerable versions of Windows with the Remote Access Connection Manager service enabled.
💻 Affected Systems
- Windows Remote Access Connection Manager
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains SYSTEM privileges, installs persistent malware, accesses all data, and pivots to other systems in the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional tools, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper privilege separation, application control, and monitoring are in place to detect unusual privilege escalation attempts.
🎯 Exploit Status
Requires authenticated access to the system. Exploitation likely involves manipulating the Remote Access Connection Manager service through legitimate interfaces with malicious parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Specific patch versions available through Microsoft's monthly security updates - check the Microsoft Security Update Guide for exact KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47955
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft. 2. For enterprise environments, deploy patches through WSUS, SCCM, or Intune. 3. Restart affected systems to complete the patch installation.
🔧 Temporary Workarounds
Disable Remote Access Connection Manager Service
windowsDisables the vulnerable service if not required for business operations
sc config RasMan start= disabled
sc stop RasMan
Restrict Service Permissions
windowsApply stricter ACLs to the Remote Access Connection Manager service
sc sdset RasMan D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict application control policies to prevent execution of unauthorized binaries even with elevated privileges
- Enable enhanced auditing for privilege escalation events and monitor for unusual service manipulation
🔍 How to Verify
Check if Vulnerable:
Check if the Remote Access Connection Manager service is running and verify Windows version against Microsoft's advisory for affected versionsCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify that the latest Windows security updates are installed and the system has been restarted since patch application📡 Detection & Monitoring
Log Indicators:
- Event ID 4688: A new process has been created with SYSTEM privileges from a non-SYSTEM user
- Event ID 4697: A service was installed in the system
- Unusual service control operations on RasMan service
Network Indicators:
- No direct network indicators as this is local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName CONTAINS "cmd.exe" AND SubjectUserName != "SYSTEM" AND TokenElevationType="%%1937"