CVE-2025-59230: 
vulnerability analysis and mitigation

Microsoft Windows contains an improper access control vulnerability (CVE-2025-59230) in Windows Remote Access Connection Manager, discovered and disclosed on October 14, 2025. The vulnerability affects multiple versions of Microsoft Windows operating systems, including Windows Server 2008 through Windows Server 2025, and Windows 10 through Windows 11 versions (NVD, CISA KEV).

The vulnerability is classified as an improper access control issue (CWE-284) that could allow privilege escalation. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with low attack complexity and requiring low privileges (NVD).

When successfully exploited, this vulnerability allows an authorized attacker to elevate privileges locally on the affected system, potentially gaining administrator-level access to the compromised machine (CISA KEV).

CISA has established a due date of November 4, 2025, for federal agencies to apply vendor patches. Organizations are advised to apply mitigations according to vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable (CISA KEV).