Security researcher Haidar Kabibo has identified "PhantomRPC," an unpatched architectural vulnerability in the Windows Remote Procedure Call (RPC) mechanism. The flaw arises from how Windows handles connections to unavailable services, allowing attackers to deploy malicious RPC servers that impersonate legitimate ones. When high-privileged processes attempt to connect to these spoofed servers, an attacker with local access and certain privileges can intercept the calls to escalate their permissions to SYSTEM or administrator levels.
Despite Kaspersky providing a detailed technical report and five distinct exploit paths, Microsoft has classified the issue as "moderate" and declined to issue a CVE or patch, citing the requirement for the attacker to already possess SeImpersonatePrivilege. Security professionals are advised to use Event Tracing for Windows (ETW) to monitor for RPC exceptions and to strictly adhere to the principle of least privilege by limiting the assignment of impersonation rights to only essential processes.
Top comments (0)