Researcher Haidar Kabibo from Kaspersky has uncovered "PhantomRPC," an architectural flaw in the Windows Remote Procedure Call (RPC) mechanism that allows for local privilege escalation. The vulnerability occurs when the OS permits any process to deploy an RPC server using an endpoint assigned to a legitimate service that is not currently running. By impersonating these services, an attacker with "SeImpersonatePrivilege" can intercept calls from high-privileged clients and escalate their access to SYSTEM or administrator levels.
Despite Kaspersky providing a detailed technical report, Microsoft classified the flaw as moderate severity and declined to issue a CVE or a patch, arguing that the exploit requires pre-existing privileges. The researcher has identified five different exploit paths and released proof-of-concept code on GitHub, confirming the vulnerability on Windows Server 2022 and 2025. Since no official fix is planned, organizations are advised to monitor RPC exceptions using Event Tracing for Windows (ETW) and strictly limit the assignment of SeImpersonatePrivilege to prevent exploitation.
Top comments (0)