Critical Windows RPC Vulnerability CVE-2022-XXXXX Lets Attackers Escalate Privileges
Key Takeaways A new architectural vulnerability, dubbed PhantomRPC, has been discovered in Windows Remote Procedure Call (RPC). This flaw enables local privilege escalation, potentially granting...
Key Takeaways
- A new architectural vulnerability, dubbed PhantomRPC, has been discovered in Windows Remote Procedure Call (RPC).
- This flaw enables local privilege escalation, potentially granting attackers SYSTEM-level access across all Windows versions.
- The vulnerability exploits how the Windows RPC runtime handles connections to unavailable servers, not a traditional memory corruption or logic bug.
- Five distinct exploitation paths have been identified, none of which have received an official patch from Microsoft.
- Mitigation strategies include RPC monitoring, enabling disabled services, and restricting
SeImpersonatePrivilege.
A significant architectural flaw residing within the Windows Remote Procedure Call (RPC) framework, dubbed PhantomRPC, has been unveiled, posing a critical risk for local privilege escalation. This vulnerability could allow attackers to gain SYSTEM-level access and is believed to affect every iteration of the Microsoft Windows operating system.
Table Of Content
Haidar Kabibo, an application security specialist at Kaspersky, presented comprehensive research on PhantomRPC at Black Hat Asia 2026 on April 24. His findings detailed five distinct methods through which this vulnerability could be exploited, none of which have yet been addressed by a Microsoft patch.
Unlike typical memory corruption issues or isolated logic flaws, PhantomRPC leverages an inherent design weakness in how the Windows RPC runtime (rpcrt4.dll) manages connections when target RPC servers are offline or inaccessible.
The vulnerability manifests when a highly privileged process attempts to initiate an RPC call to a server that is either disabled or unavailable. Critically, the RPC runtime fails to verify the legitimacy of any responding server.
This oversight creates an opportunity for attackers. A low-privileged process, such as one operating under the NT AUTHORITYNETWORK SERVICE account, can deploy a malicious RPC server. This server then mimics a legitimate endpoint, intercepting calls intended for the unavailable genuine service.

The core of the attack hinges on the RpcImpersonateClient API. When a privileged client connects to the attacker’s fake server with a high impersonation level, the malicious server invokes this API. This action allows the attacker’s server to assume the client’s security context, effectively escalating privileges from a low-level service account directly to SYSTEM or Administrator.
Five Exploitation Paths
Researchers have identified five concrete scenarios demonstrating how PhantomRPC can be exploited:
- gpupdate.exe Coercion: Forcing a Group Policy update via
gpupdate /forcecauses the Group Policy Client service (running as SYSTEM) to make an RPC call to TermService. If TermService is disabled, an attacker’s fake RPC server can intercept this call, leading to SYSTEM-level access. - Microsoft Edge Startup: The launch of
msedge.exetriggers an RPC call to TermService with a high impersonation level. An attacker with a spoofed endpoint can exploit this to escalate from Network Service to Administrator without requiring any user interaction. - WDI Background Service: The Diagnostic System Host (WdiSystemHost), operating as SYSTEM, periodically queries TermService every 5 to 15 minutes. This automated behavior requires no user interaction, allowing an attacker to simply wait for the call to be made.
- ipconfig.exe and DHCP Client: Executing
ipconfig.exeinitiates an internal RPC call to the DHCP Client service. If the DHCP service is disabled and a malicious server is in place, an attacker with Local Service privileges can escalate to Administrator. - w32tm.exe and Windows Time: The Windows Time executable first attempts to connect to a non-existent named pipe,
PIPEW32TIME. An attacker can expose this endpoint without disabling the legitimate W32Time service, then impersonate any privileged user who executes the binary.
Microsoft’s Response & No Patch
The vulnerability was initially reported to the Microsoft Security Response Center (MSRC) on September 19, 2025.
Twenty days later, Microsoft responded, classifying the issue as moderate severity. Their reasoning was that the attack necessitates SeImpersonatePrivilege, a privilege already held by default by Network Service and Local Service accounts. Consequently, no CVE was assigned, and the case was closed without a scheduled fix, as detailed in the Kaspersky report.
What You Should Do
Until an official patch is released by Microsoft, organizations can implement several mitigation strategies:
- Activate ETW-based RPC Monitoring: Configure monitoring to detect
RPC_S_SERVER_UNAVAILABLEerrors (Event ID 1) in conjunction with high impersonation levels originating from privileged processes. - Enable Disabled Services: Where feasible and secure, reactivate services such as TermService. This ensures legitimate endpoints are active and cannot be hijacked by malicious RPC servers.
- Restrict
SeImpersonatePrivilege: Limit theSeImpersonatePrivilegeto only those processes that have an absolute requirement for it. Avoid granting this privilege to custom or third-party applications unnecessarily.
Kaspersky has made all research tools available via the PhantomRPC GitHub repository, enabling organizations to audit their own environments for potential RPC call patterns that could be exploited.</
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.