New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions

HomeCyber Security New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions By Guru Baran April 25, 2026 PhantomRPC, a newly identified architectural vulnerability in Windows Remote Procedure Call (RPC) that enables local privilege escalation to SYSTEM-level access, potentially affecting every version of Windows. The research was presented by Kaspersky application security specialist Haidar Kabibo at Black Hat Asia 2026 on April 24 and details five distinct exploitation paths, none of which have received a patch from Microsoft. PhantomRPC is not a classic memory corruption bug or a logic flaw in a single component. Instead, it exploits an architectural design weakness in how the Windows RPC runtime (rpcrt4.dll) handles connections to unavailable RPC servers. When a highly privileged process attempts an RPC call to a server that is offline or disabled, the RPC runtime does not verify whether the responding server is legitimate. This means an attacker who controls a low-privileged process, such as one running under NT AUTHORITY\NETWORK SERVICE, can deploy a malicious RPC server that mimics a legitimate endpoint and intercept those calls. Malicious RPC Server (Kaspersky) The core abuse relies on the RpcImpersonateClient API. When a privileged client connects to the fake server with a high impersonation level, the attacker’s server calls this API to assume the client’s security context — escalating from a low-privileged service account directly to SYSTEM or Administrator. Five Exploitation Paths Researchers identified five concrete attack scenarios: gpupdate.exe coercion — Triggering gpupdate /force causes the Group Policy Client service (running as SYSTEM) to make an RPC call to TermService. If TermService is disabled, the attacker’s fake RPC server intercepts the call, yielding SYSTEM-level access. Microsoft Edge startup — When msedge.exe launches, it triggers an RPC call to TermService with a high impersonation level. An attacker waiting with a spoofed endpoint can escalate from Network Service to Administrator without any coercion. WDI background service — The Diagnostic System Host (WdiSystemHost), running as SYSTEM, periodically polls TermService every 5–15 minutes. No user interaction is required; the attacker simply waits for the automated call. ipconfig.exe and DHCP Client — Executing ipconfig.exe triggers an internal RPC call to the DHCP Client service. With DHCP disabled and a fake server in place, a Local Service attacker escalates to Administrator. w32tm.exe and Windows Time — The Windows Time executable first attempts to connect to a nonexistent named pipe \PIPE\W32TIME. An attacker can expose this endpoint without disabling the legitimate W32Time service, then impersonate any privileged user who runs the binary. Microsoft’s Response — No Patch The vulnerability was reported to Microsoft Security Response Center (MSRC) on September 19, 2025. Microsoft responded 20 days later, classifying the issue as moderate severity on the grounds that the attack requires SeImpersonatePrivilege a privilege already held by default by Network Service and Local Service accounts. No CVE was assigned, and the case was closed without a scheduled fix, reads the Kaspersky report. Until a patch is issued, defenders can take the following steps: Enable ETW-based RPC monitoring to detect RPC_S_SERVER_UNAVAILABLE errors (Event ID 1) combined with high impersonation levels from privileged processes. Enable disabled services such as TermService where feasible, so legitimate endpoints are occupied and cannot be hijacked. Restrict SeImpersonatePrivilege to only those processes that strictly require it; do not grant it to custom or third-party applications. Kaspersky has released all tools used in the research framework via the PhantomRPC GitHub repository, allowing organizations to audit their own environments for exploitable RPC call patterns. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran is the Co-Founder and Editor-in-Chief of CyberSecurityNews.com, specializing in vulnerability analysis, malware research, ransomware, and computer forensics. Trending News Fake TradingView AI Agent Site is Delivering Needle Stealer Malware via Fake TradingClaw Hackers Could Weaponize GGUF Models to Achieve RCE on SGLang Inference Servers Vercel Confirms Data Breach — Hackers Claim Access to Internal Systems Malicious npm Package Turns Hugging Face Into Malware CDN and Exfiltration Backend 12 Browser Extensions Mimic as TikTok Video Downloaders Compromised 130k Users Latest News Cyber Security Litecoin Zero-Day Vulnerability Exploited in DoS Attack, Disrupts Major Mining Pools Cyber Security News CISA Warns of Multiple SimpleHelp Vulnerabilities Exploited in Attack Cyber Security News Claude AI Agents Close 186 Deals in Anthropic’s Marketplace Experiment Bug Bounty GPT‑5.5 Bio Bug Bounty to Strengthen Advanced AI Capabilities Cyber Security News Hackers Can Abuse Entra Agent ID Administrator Role to Hijack Service Principals