A recent vulnerability in Windows’ Remote Procedure Call (RPC) mechanism, identified by Kaspersky, permits attackers to elevate their privileges to System level. This flaw affects potentially all Windows versions, posing a significant security risk.
Understanding the RPC Vulnerability
Kaspersky researcher Haidar Kabibo has labeled this vulnerability as PhantomRPC, highlighting an architectural flaw in Windows. The issue arises from a legitimate mechanism that allows processes to impersonate others, potentially enabling privilege escalation.
The RPC mechanism facilitates inter-process communication in Windows, following a client-server model. However, it allows services to impersonate other entities, controlled by impersonation levels from Anonymous to Delegate. Critical services like those under the Local Service and Network Service accounts have these impersonation privileges by default.
Exploitation Techniques
The vulnerability is exacerbated because the RPC runtime does not authenticate RPC servers. Attackers can deploy fake RPC servers, mimicking legitimate ones, to intercept and manipulate requests for privilege escalation.
An attacker could compromise a service running under the Network Service account and configure a fake RPC server. By exploiting this setup, they could elevate privileges by impersonating other services, such as TermService, the default Remote Desktop service.
Potential Attack Scenarios
Kabibo identified multiple paths for exploiting PhantomRPC, which broaden the attack surface due to the reliance of many Windows system DLLs on RPC. For instance, an attack could be triggered when a high-privileged user launches Microsoft Edge, or through periodic RPC calls made by the Diagnostic System Host Service (WDI).
Similarly, services running under the Local Service account, like the DHCP Client and Windows Time service, can also be exploited. Attackers could deploy fake RPC servers that impersonate these services to capture and manipulate requests.
Response and Future Outlook
Kaspersky reported this issue to Microsoft in September 2025. Microsoft categorized it as a moderate-severity vulnerability, citing the need for specific impersonation privileges. As of now, there is no immediate fix available.
With this vulnerability unpatched, organizations need to be vigilant. While Microsoft has not prioritized a remediation, understanding and mitigating potential attack vectors is crucial for maintaining security.
