TLP:CLEAR-[ngCERT SECURITY ADVISORY EXPLOITATION OF NEW ZERO-DAY VULNERABILITIES IN WINDOWS SYSTEMS]

Advisory ID:   ngCERT-2025-100009

SUMMARY

ngCERT cautions on active exploitation of Zero-Dayvulnerabilities in Windows Remote Access Connection Manager (RasMan) and Windows Agere Modem Driver services, dubbed (CVE-2025-59230 and CVE-2025-24990). Both flaws are elevation of privilege (EoP) vulnerabilities stemming from improper access control, allowing local attackers to escalate to SYSTEM-level privileges. Notably, other vulnerabilities related to privileged escalation have been identified as (CVE-2025-49708 and CVE-2025-55315) with CVSS scores: 9.9. Although these vulnerabilities were addressed in Microsoft's October 2025 Patch Tuesday updates, Windows system users are at high risk of compromise and attacks. The ongoing exploitation of these vulnerabilities by attackers underscores the critical need for organizations to deploy security patches without delay..

Damage:      Critical (CVSS Score: 7.8)

Probability:  High 

Platform(s): Windows System (Remote Access Connection Manager and Windows Agere Modem Driver)

DESCRIPTION

The initial attack chain for CVE-2025-59230 begins when attackers obtain initial low-privilege local access, often through phishing, malware, or social engineering. The exploiter then sends specially crafted requests to the RasMan service, which manages remote network connections. Due to improper access controls, these requests bypass restrictions, allowing arbitrary code execution and escalation to SYSTEM privileges. This grants full system control, including data manipulation and persistence, with functional exploit code observed in the wild. For CVE-2025-24990, the exploitation process begins with low-privilege local access on a system where the driver is present (default in supported Windows versions, even without active hardware). The attacker interacts with the driver, triggering an untrusted pointer dereference that manipulates kernel memory. This leads to arbitrary code execution in kernel mode, escalating privileges to administrator or SYSTEM level. The chain can integrate with other flaws, such as CVE-2025-24052, for broader attacks like ransomware deployment, and also affect legacy fax modem setups.

CONSEQUENCES

Successful exploitation of the aforementioned flaws can result in:

1. Full system compromise.
2. Data breaches.
3. Malware infiltration.
4. Data deletion and exfiltration.
5. Ransomware deployment and attack.
6. Financial losses.
7. Reputational damage.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Immediately apply Microsoft's October 2025 security updates, followed by a system restart.
2. For CVE-2025-59230, disable the RasMan service if not needed for remote access or VPN.
3. Monitor logs for suspicious privilege escalations using tools like Sysmon or EDR.
4. For CVE-2025-24990, audit and remove dependencies on Agere Modem hardware.
5. Disable fax modem functionality through Group Policy if patching is delayed.
6. Restrict local logons to trusted accounts and implement least-privilege principles with AppLocker or Device Guard.
7. Conduct vulnerability scans to identify exposed systems.

HYPERLINK

• https://x.com/DarkWebInformer/status/1979747123571855770
• https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html
• https://gbhackers.com/hackers-exploit-windows-remote-access-connection-manager-0-day/
• https://socprime.com/blog/cve-2025-59230-and-2025-24990-vulnerabilities/