New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions

Source: Cyber Security News

Author: Guru Baran

URL: https://cybersecuritynews.com/new-windows-rpc-vulnerability/

ONE SENTENCE SUMMARY:

PhantomRPC exploits Windows RPC design to impersonate privileged clients via spoofed offline endpoints, enabling SYSTEM escalation across versions.

MAIN POINTS:

1. Kaspersky disclosed PhantomRPC at Black Hat Asia 2026 as an architectural Windows RPC weakness.
2. Vulnerability impacts rpcrt4.dll behavior when clients contact unavailable or disabled RPC servers.
3. RPC runtime fails to authenticate that the responding server is the intended legitimate endpoint.
4. Attackers can stand up a fake RPC server to intercept privileged connection attempts.
5. RpcImpersonateClient enables the malicious server to assume the privileged client’s security context.
6. gpupdate coercion abuses disabled TermService to gain SYSTEM via Group Policy Client RPC calls.
7. Microsoft Edge startup can trigger TermService RPC leading to Network Service-to-Administrator escalation.
8. WdiSystemHost periodically polls TermService, allowing opportunistic SYSTEM escalation without user interaction.
9. DHCP disabled plus ipconfig-triggered RPC can elevate Local Service to Administrator.
10. Microsoft closed the report without CVE or patch, citing SeImpersonatePrivilege prerequisites.

TAKEAWAYS:

1. Monitor ETW for RPC_S_SERVER_UNAVAILABLE events paired with high impersonation-level connections.
2. Reduce hijack opportunities by keeping commonly targeted services enabled where operationally feasible.
3. Minimize SeImpersonatePrivilege assignments to only essential built-in components.
4. Audit systems for privileged RPC clients contacting optional or disabled endpoints.
5. Use Kaspersky’s PhantomRPC GitHub tools to test and map exploitable RPC call patterns.