Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/CyberSecurity News/Critical Windows RPC Vulnerability CVE-2022-XXXXX Lets Attackers Escalate Privileges
CyberSecurity News

Critical Windows RPC Vulnerability CVE-2022-XXXXX Lets Attackers Escalate Privileges

Key Takeaways A new architectural vulnerability, dubbed PhantomRPC, has been discovered in Windows Remote Procedure Call (RPC). This flaw enables local privilege escalation, potentially granting...

Marcus Rodriguez
Marcus Rodriguez
April 25, 2026 4 Min Read
39 0

Key Takeaways

  • A new architectural vulnerability, dubbed PhantomRPC, has been discovered in Windows Remote Procedure Call (RPC).
  • This flaw enables local privilege escalation, potentially granting attackers SYSTEM-level access across all Windows versions.
  • The vulnerability exploits how the Windows RPC runtime handles connections to unavailable servers, not a traditional memory corruption or logic bug.
  • Five distinct exploitation paths have been identified, none of which have received an official patch from Microsoft.
  • Mitigation strategies include RPC monitoring, enabling disabled services, and restricting SeImpersonatePrivilege.

A significant architectural flaw residing within the Windows Remote Procedure Call (RPC) framework, dubbed PhantomRPC, has been unveiled, posing a critical risk for local privilege escalation. This vulnerability could allow attackers to gain SYSTEM-level access and is believed to affect every iteration of the Microsoft Windows operating system.

Table Of Content

  • Key Takeaways
  • Five Exploitation Paths
  • Microsoft’s Response & No Patch
  • What You Should Do

Haidar Kabibo, an application security specialist at Kaspersky, presented comprehensive research on PhantomRPC at Black Hat Asia 2026 on April 24. His findings detailed five distinct methods through which this vulnerability could be exploited, none of which have yet been addressed by a Microsoft patch.

Unlike typical memory corruption issues or isolated logic flaws, PhantomRPC leverages an inherent design weakness in how the Windows RPC runtime (rpcrt4.dll) manages connections when target RPC servers are offline or inaccessible.

The vulnerability manifests when a highly privileged process attempts to initiate an RPC call to a server that is either disabled or unavailable. Critically, the RPC runtime fails to verify the legitimacy of any responding server.

This oversight creates an opportunity for attackers. A low-privileged process, such as one operating under the NT AUTHORITYNETWORK SERVICE account, can deploy a malicious RPC server. This server then mimics a legitimate endpoint, intercepting calls intended for the unavailable genuine service.

Malicious RPC Server (Kaspersky)

The core of the attack hinges on the RpcImpersonateClient API. When a privileged client connects to the attacker’s fake server with a high impersonation level, the malicious server invokes this API. This action allows the attacker’s server to assume the client’s security context, effectively escalating privileges from a low-level service account directly to SYSTEM or Administrator.

Five Exploitation Paths

Researchers have identified five concrete scenarios demonstrating how PhantomRPC can be exploited:

  • gpupdate.exe Coercion: Forcing a Group Policy update via gpupdate /force causes the Group Policy Client service (running as SYSTEM) to make an RPC call to TermService. If TermService is disabled, an attacker’s fake RPC server can intercept this call, leading to SYSTEM-level access.
  • Microsoft Edge Startup: The launch of msedge.exe triggers an RPC call to TermService with a high impersonation level. An attacker with a spoofed endpoint can exploit this to escalate from Network Service to Administrator without requiring any user interaction.
  • WDI Background Service: The Diagnostic System Host (WdiSystemHost), operating as SYSTEM, periodically queries TermService every 5 to 15 minutes. This automated behavior requires no user interaction, allowing an attacker to simply wait for the call to be made.
  • ipconfig.exe and DHCP Client: Executing ipconfig.exe initiates an internal RPC call to the DHCP Client service. If the DHCP service is disabled and a malicious server is in place, an attacker with Local Service privileges can escalate to Administrator.
  • w32tm.exe and Windows Time: The Windows Time executable first attempts to connect to a non-existent named pipe, PIPEW32TIME. An attacker can expose this endpoint without disabling the legitimate W32Time service, then impersonate any privileged user who executes the binary.

Microsoft’s Response & No Patch

The vulnerability was initially reported to the Microsoft Security Response Center (MSRC) on September 19, 2025.

Twenty days later, Microsoft responded, classifying the issue as moderate severity. Their reasoning was that the attack necessitates SeImpersonatePrivilege, a privilege already held by default by Network Service and Local Service accounts. Consequently, no CVE was assigned, and the case was closed without a scheduled fix, as detailed in the Kaspersky report.

What You Should Do

Until an official patch is released by Microsoft, organizations can implement several mitigation strategies:

  • Activate ETW-based RPC Monitoring: Configure monitoring to detect RPC_S_SERVER_UNAVAILABLE errors (Event ID 1) in conjunction with high impersonation levels originating from privileged processes.
  • Enable Disabled Services: Where feasible and secure, reactivate services such as TermService. This ensures legitimate endpoints are active and cannot be hijacked by malicious RPC servers.
  • Restrict SeImpersonatePrivilege: Limit the SeImpersonatePrivilege to only those processes that have an absolute requirement for it. Avoid granting this privilege to custom or third-party applications unnecessarily.

Kaspersky has made all research tools available via the PhantomRPC GitHub repository, enabling organizations to audit their own environments for potential RPC call patterns that could be exploited.</

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

CISA Warns of Critical SimpleHelp Vulnerabilities Exploited in Attacks

Next Post

GlassWorm Campaign Uses 73 Malicious Open VSX Extensions

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us