Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation

VULNERABILITIES & THREATS CYBER RISK REMOTE WORKFORCE APPLICATION SECURITY NEWS Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation A researcher discovered five different exploit paths that stem from an architectural weakness in how Windows' Remote Procedure Call (RPC) mechanism handles connections to unavailable services. Elizabeth Montalbano,Contributing Writer April 27, 2026 4 Min Read SOURCE: SERGEY TARASOV VIA ALAMY STOCK PHOTO An unpatched vulnerability can allow for privilege escalation across Windows systems through the abuse of the Remote Procedure Call (RPC) architecture in Microsoft's OS. Called PhantomRPC, the flaw stems from an architectural weakness in how RPC handles connections to unavailable services, according to Haidar Kabibo, a middle application security specialist at Kaspersky who discovered the flaw and shared his findings in a recent post on X and in a blog post published Friday.  By exploiting the flaw, an attacker with limited local access can deploy a malicious RPC server that impersonates legitimate Windows services. In this way, when higher-privileged processes connect to the server, the attacker can impersonate them to escalate privileges to SYSTEM or administrator levels. "The operating system permits the deployment RPC servers using the same endpoint assigned to RPC servers exposed by legitimate services, provided that those services are not running," Kabibo tells Dark Reading. "This behavior enables any process to deploy an RPC server that mimics a legitimate service and receive all the RPC client calls originally intended for the authentic server." If some of these calls originate from highly privileged accounts, and the hosting process possesses the "SeImpersonatePrivilege," a low-privileged process may impersonate such clients and thereby escalate its privileges, he says, describing it in his X post as "an architecture problem." "The Microsoft Windows operating system is designed to run with multiple user accounts, each having different privileges inside the system," Kabibo explains, citing two examples of low-privilege accounts as Network Service and Local Service, which are restricted service accounts. "If an attacker gains a foothold in services running under these identities and exploits the bug presented in the research, they may be able to escalate their privileges from these low-privileged accounts to the SYSTEM level and gain control of the entire operating system." Related:Bad Memories Still Haunt AI Agents No Patch Despite Various Exploit Paths Windows' RPC is an architecture-level mechanism for communication between two processes, enabling one process to invoke functions that are implemented in another process, even though they are running in different execution contexts.  Loading... Kaspersky disclosed the flaw to Microsoft via a 10-page technical report last September. In October, Microsoft assessed the flaw to be of only "moderate severity" and ineligible for a bounty, and did not issue a CVE. Moreover, "the case was closed without further tracking," Kabibo wrote in the post. Related:Google Fixes Critical RCE Flaw in AI-Based 'Antigravity' Tool "Microsoft explained that the moderate severity classification was due to the requirement that the originating process had to already possess the SeImpersonatePrivilege privilege," he wrote. "Since this privilege was typically required for the attack to succeed, Microsoft determined that the issue did not require immediate remediation." Despite this assessment, Kabibo said there are five exploit paths for abusing the flaw, which he outlined in detail in his post. Microsoft did not immediately respond to request for comment by Dark Reading Monday on its reasoning for not mitigating the flaw.  Kabibo tested his proof-of-concept (PoC) exploits on Windows Server 2022 and Windows Server 2025 with the latest available updates prior to the date he submitted the flaw to Microsoft in September. "However, it is highly likely that this issue may also be exploitable on other Windows versions," he wrote. The PoCs can be found in a GitHub repository. The scenarios for exploitation differ by which processes are used to elevate privileges, but all of them stem from the architectural issue inherent in RPC. What this basically means is that any process that can register an RPC endpoint and receive a privileged connection can transform that into a SYSTEM token, elevating an attacker's privileges on a Windows system, according to Kaspersky. Related:Every Old Vulnerability Is Now an AI Vulnerability Defenders Are on Their Own Privilege escalation remains a huge concern for Windows defenders; in fact, more than half of the 165 vulnerabilities patched by Microsoft in April were this type of vulnerability. With no fix for PhantomRCP forthcoming, the countless organizations that use Windows systems are on their own to mitigate the issue. To help guide them, Kaspersky advised organizations take a couple of fundamental steps to protect themselves from exploitation of the flaw. One is to implement Event Tracing for Windows-based monitoring, which allows defenders to identify RPC exceptions within their environment, particularly cases where RPC clients attempt to connect to unavailable servers. Monitoring such events can help administrators detect situations in which legitimate RPC servers are expected but not running, Kabibo said.  "In some cases, the attack surface may be reduced by enabling the corresponding services, ensuring that the legitimate RPC endpoint is available," he wrote. "This can hinder attackers from deploying malicious RPC servers that imitate legitimate endpoints." The second way to avoid compromise through exploitation is to limit the use of SeImpersonatePrivilege only to processes that strictly require it rather than to custom or third-party processes that are sometimes granted access, which, Kabibo wrote, "is generally not considered good security practice." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars White Papers 7 best practices for secrets lifecycle management Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS