CyberSecurity News

Critical Windows RPC Vulnerability Allows Privilege Escalation

PhantomRPC, a newly identified architectural vulnerability in Windows Remote Procedure Call (RPC), allows for local privilege escalation. This critical flaw grants attackers SYSTEM-level access and...

Marcus Rodriguez
Marcus Rodriguez
April 25, 2026 3 Min Read
0 0

PhantomRPC, a newly identified architectural vulnerability in Windows Remote Procedure Call (RPC), allows for local privilege escalation. This critical flaw grants attackers SYSTEM-level access and could potentially affect every version of Windows.

The research was presented by Kaspersky application security specialist Haidar Kabibo at Black Hat Asia 2026 on April 24 and details five distinct exploitation paths, none of which have received a patch from Microsoft.

PhantomRPC is not a classic memory corruption bug or a logic flaw in a single component. Instead, it exploits an architectural design weakness in how the Windows RPC runtime (rpcrt4.dll) handles connections to unavailable RPC servers.

When a highly privileged process attempts an RPC call to a server that is offline or disabled, the RPC runtime does not verify whether the responding server is legitimate.

This means an attacker who controls a low-privileged process, such as one running under NT AUTHORITYNETWORK SERVICE, can deploy a malicious RPC server that mimics a legitimate endpoint and intercept those calls.

Malicious RPC Server (Kaspersky)

The core abuse relies on the RpcImpersonateClient API. When a privileged client connects to the fake server with a high impersonation level, the attacker’s server calls this API to assume the client’s security context — escalating from a low-privileged service account directly to SYSTEM or Administrator.

Five Exploitation Paths

Researchers identified five concrete attack scenarios:

  • gpupdate.exe coercion — Triggering gpupdate /force causes the Group Policy Client service (running as SYSTEM) to make an RPC call to TermService. If TermService is disabled, the attacker’s fake RPC server intercepts the call, yielding SYSTEM-level access.
  • Microsoft Edge startup — When msedge.exe launches, it triggers an RPC call to TermService with a high impersonation level. An attacker waiting with a spoofed endpoint can escalate from Network Service to Administrator without any coercion.
  • WDI background service — The Diagnostic System Host (WdiSystemHost), running as SYSTEM, periodically polls TermService every 5–15 minutes. No user interaction is required; the attacker simply waits for the automated call.
  • ipconfig.exe and DHCP Client — Executing ipconfig.exe triggers an internal RPC call to the DHCP Client service. With DHCP disabled and a fake server in place, a Local Service attacker escalates to Administrator.
  • w32tm.exe and Windows Time — The Windows Time executable first attempts to connect to a nonexistent named pipe PIPEW32TIME. An attacker can expose this endpoint without disabling the legitimate W32Time service, then impersonate any privileged user who runs the binary.

Microsoft’s Response — No Patch

The vulnerability was reported to Microsoft Security Response Center (MSRC) on September 19, 2025.

Microsoft responded 20 days later, classifying the issue as moderate severity on the grounds that the attack requires SeImpersonatePrivilege a privilege already held by default by Network Service and Local Service accounts.

No CVE was assigned, and the case was closed without a scheduled fix, reads the Kaspersky report.

Until a patch is issued, defenders can take the following steps:

  • Enable ETW-based RPC monitoring to detect RPC_S_SERVER_UNAVAILABLE errors (Event ID 1) combined with high impersonation levels from privileged processes.
  • Enable disabled services such as TermService where feasible, so legitimate endpoints are occupied and cannot be hijacked.
  • Restrict SeImpersonatePrivilege to only those processes that strictly require it; do not grant it to custom or third-party applications.

Kaspersky has released all tools used in the research framework via the PhantomRPC GitHub repository, allowing organizations to audit their own environments for exploitable RPC call patterns.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts