By rssfeeds-admin 
The research was presented by Kaspersky application security specialist Haidar Kabibo at Black Hat Asia 2026 on April 24 and details five distinct exploitation paths, none of which have received a patch from Microsoft.
PhantomRPC is not a classic memory corruption bug or a logic flaw in a single component. Instead, it exploits an architectural design weakness in how the Windows RPC runtime (rpcrt4.dll) handles connections to unavailable RPC servers.
When a highly privileged process attempts an RPC call to a server that is offline or disabled, the RPC runtime does not verify whether the responding server is legitimate.
This means an attacker who controls a low-privileged process, such as one running under NT AUTHORITYNETWORK SERVICE, can deploy a malicious RPC server that mimics a legitimate endpoint and intercept those calls.
The core abuse relies on the RpcImpersonateClient API. When a privileged client connects to the fake server with a high impersonation level, the attacker’s server calls this API to assume the client’s security context — escalating from a low-privileged service account directly to SYSTEM or Administrator.
Five Exploitation Paths
Researchers identified five concrete attack scenarios:
-
gpupdate.exe coercion — Triggering
gpupdate /forcecauses the Group Policy Client service (running as SYSTEM) to make an RPC call to TermService. If TermService is disabled, the attacker’s fake RPC server intercepts the call, yielding SYSTEM-level access. - Microsoft Edge startup — When msedge.exe launches, it triggers an RPC call to TermService with a high impersonation level. An attacker waiting with a spoofed endpoint can escalate from Network Service to Administrator without any coercion.
- WDI background service — The Diagnostic System Host (WdiSystemHost), running as SYSTEM, periodically polls TermService every 5–15 minutes. No user interaction is required; the attacker simply waits for the automated call.
-
ipconfig.exe and DHCP Client — Executing
ipconfig.exetriggers an internal RPC call to the DHCP Client service. With DHCP disabled and a fake server in place, a Local Service attacker escalates to Administrator. -
w32tm.exe and Windows Time — The Windows Time executable first attempts to connect to a nonexistent named pipe
PIPEW32TIME. An attacker can expose this endpoint without disabling the legitimate W32Time service, then impersonate any privileged user who runs the binary.
Microsoft’s Response — No Patch
The vulnerability was reported to Microsoft Security Response Center (MSRC) on September 19, 2025.
Microsoft responded 20 days later, classifying the issue as moderate severity on the grounds that the attack requires SeImpersonatePrivilege a privilege already held by default by Network Service and Local Service accounts.
No CVE was assigned, and the case was closed without a scheduled fix, reads the Kaspersky report.
Until a patch is issued, defenders can take the following steps:
-
Enable ETW-based RPC monitoring to detect
RPC_S_SERVER_UNAVAILABLEerrors (Event ID 1) combined with high impersonation levels from privileged processes. - Enable disabled services such as TermService where feasible, so legitimate endpoints are occupied and cannot be hijacked.
- Restrict SeImpersonatePrivilege to only those processes that strictly require it; do not grant it to custom or third-party applications.
Kaspersky has released all tools used in the research framework via the PhantomRPC GitHub repository, allowing organizations to audit their own environments for exploitable RPC call patterns.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.