PhantomRPC, a newly identified architectural vulnerability in Windows Remote Procedure Call (RPC) that enables local privilege escalation to SYSTEM-level access, potentially affecting every version of Windows.<\/p>\n
The research was presented by Kaspersky application security specialist Haidar Kabibo at Black Hat Asia 2026 on April 24 and details five distinct exploitation paths, none of which have received a patch from Microsoft.<\/p>\n
PhantomRPC is not a classic memory corruption bug or a logic flaw in a single component. Instead, it exploits an architectural design weakness in how the Windows RPC runtime<\/a> (rpcrt4.dll) handles connections to unavailable RPC servers.<\/p>\n When a highly privileged process attempts an RPC call to a server that is offline or disabled, the RPC runtime does not verify whether the responding server is legitimate.<\/p>\n This means an attacker who controls a low-privileged process, such as one running under NT AUTHORITYNETWORK SERVICE, can deploy a malicious RPC server that mimics a legitimate endpoint and intercept those calls.<\/p>\n The core abuse relies on the Researchers identified five concrete attack scenarios:<\/p>\n The vulnerability was reported to Microsoft Security Response Center (MSRC) on September 19, 2025.<\/p>\n Microsoft responded 20 days later, classifying the issue as moderate severity on the grounds that the attack requires No CVE was assigned, and the case was closed without a scheduled fix, reads the Kaspersky report<\/a>.<\/p>\n Until a patch is issued, defenders can take the following steps:<\/p>\n Kaspersky has released all tools used in the research framework via the PhantomRPC GitHub repository<\/a>, allowing organizations to audit their own environments for exploitable RPC call patterns.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiqyf9qf5VLADTrYScOqGBA2JB5FRvxmKL3ZY0k0dH5tfyE-FBQQtgYXVjrzEOaMS3HruqMuMm-XEQ0BCj9tSbn3KnUwYJpoj9R_RG3gS4-wYv1ZxzaSC6rZpAsGTu2XDmPlGSeAPCUzopCQfoegSFt74j7WDmDyuTgy_CSJ4jtA-kgaW3bV5KvrFPlRyLK\/s16000\/Group%2520Policy%2520Phantomrpc.webp?ssl=1\")
RpcImpersonateClient<\/code> API. When a privileged client connects to the fake server with a high impersonation level, the attacker\u2019s server calls this API to assume the client\u2019s security context \u2014 escalating from a low-privileged service account directly to SYSTEM or Administrator.<\/p>\nFive Exploitation Paths<\/strong><\/h2>\n
\n
gpupdate \/force<\/code> causes the Group Policy Client service (running as SYSTEM) to make an RPC call to TermService. If TermService is disabled, the attacker\u2019s fake RPC server intercepts the call, yielding SYSTEM-level access.<\/li>\nipconfig.exe<\/code> triggers an internal RPC call to the DHCP Client service. With DHCP disabled and a fake server in place, a Local Service attacker escalates to Administrator.<\/li>\nPIPEW32TIME<\/code>. An attacker can expose this endpoint without disabling the legitimate W32Time service, then impersonate any privileged user who runs the binary.<\/li>\n<\/ul>\nMicrosoft\u2019s Response \u2014 No Patch<\/strong><\/h2>\n
SeImpersonatePrivilege<\/code> a privilege already held by default by Network Service and Local Service accounts.<\/p>\n\n
RPC_S_SERVER_UNAVAILABLE<\/code> errors (Event ID 1) combined with high impersonation levels from privileged processes.<\/li>\n