An unpatched vulnerability can allow for privilege escalation across Windows systems through the abuse of the Remote Procedure Call (RPC) architecture in Microsoft’s OS.
Called PhantomRPC, the flaw stems from an architectural weakness in how RPC handles connections to unavailable services, according to Haidar Kabibo, a middle application security specialist at Kaspersky who discovered the flaw and shared his findings in a recent post on X and in a blog post published Friday.
By exploiting the flaw, an attacker with limited local access can deploy a malicious RPC server that impersonates legitimate Windows services. In this way, when higher-privileged processes connect to the server, the attacker can impersonate them to escalate privileges to SYSTEM or administrator levels.
“The operating system permits the deployment RPC servers using the same endpoint assigned to RPC servers exposed by legitimate services, provided that those services are not running,” Kabibo tells Dark Reading. “This behavior enables any process to deploy an RPC server that mimics a legitimate service and receive all the RPC client calls originally intended for the authentic server.” If some of these calls originate from highly privileged accounts, and the hosting process possesses the “SeImpersonatePrivilege,” a low-privileged process may impersonate such clients and thereby escalate its privileges, he says, describing it in his X post as “an architecture problem.” “The Microsoft Windows operating system is designed to run with multiple user accounts, each having different privileges inside the system,” Kabibo explains, citing two examples of low-privilege accounts as Network Service and Local Service, which are restricted service accounts. “If an attacker gains a foothold in services running under these identities and exploits the bug presented in the research, they may be able to escalate their privileges from these low-privileged accounts to the SYSTEM level and gain control of the entire operating system.”
No Patch Despite Various Exploit Paths
Windows’ RPC is an architecture-level mechanism for communication between two processes, enabling one process to invoke functions that are implemented in another process, even though they are running in different execution contexts.
Kaspersky disclosed the flaw to Microsoft via a 10-page technical report last September. In October, Microsoft assessed the flaw to be of only “moderate severity” and ineligible for a bounty, and did not issue a CVE. Moreover, “the case was closed without further tracking,” Kabibo wrote in the post.
“Microsoft explained that the moderate severity classification was due to the requirement that the originating process had to already possess the SeImpersonatePrivilege privilege,” he wrote. “Since this privilege was typically required for the attack to succeed, Microsoft determined that the issue did not require immediate remediation.”
Despite this assessment, Kabibo said there are five exploit paths for abusing the flaw, which he outlined in detail in his post. Microsoft did not immediately respond to request for comment by Dark Reading Monday on its reasoning for not mitigating the flaw.
Kabibo tested his proof-of-concept (PoC) exploits on Windows Server 2022 and Windows Server 2025 with the latest available updates prior to the date he submitted the flaw to Microsoft in September. “However, it is highly likely that this issue may also be exploitable on other Windows versions,” he wrote.
The PoCs can be found in a GitHub repository.
The scenarios for exploitation differ by which processes are used to elevate privileges, but all of them stem from the architectural issue inherent in RPC. What this basically means is that any process that can register an RPC endpoint and receive a privileged connection can transform that into a SYSTEM token, elevating an attacker’s privileges on a Windows system, according to Kaspersky.
Defenders Are on Their Own
Privilege escalation remains a huge concern for Windows defenders; in fact, more than half of the 165 vulnerabilities patched by Microsoft in April were this type of vulnerability.
With no fix for PhantomRCP forthcoming, the countless organizations that use Windows systems are on their own to mitigate the issue. To help guide them, Kaspersky advised organizations take a couple of fundamental steps to protect themselves from exploitation of the flaw.
One is to implement Event Tracing for Windows-based monitoring, which allows defenders to identify RPC exceptions within their environment, particularly cases where RPC clients attempt to connect to unavailable servers. Monitoring such events can help administrators detect situations in which legitimate RPC servers are expected but not running, Kabibo said.
“In some cases, the attack surface may be reduced by enabling the corresponding services, ensuring that the legitimate RPC endpoint is available,” he wrote. “This can hinder attackers from deploying malicious RPC servers that imitate legitimate endpoints.”
The second way to avoid compromise through exploitation is to limit the use of SeImpersonatePrivilege only to processes that strictly require it rather than to custom or third-party processes that are sometimes granted access, which, Kabibo wrote, “is generally not considered good security practice.”
