New Windows RPC Flaw Enables Universal Privilege Escalation Across All Versions

Key Takeaways

• PhantomRPC is an architectural flaw in Windows RPC that lets a low‑privilege attacker hijack RPC calls and escalate to SYSTEM or Administrator.
• The vulnerability stems from the RPC runtime’s failure to verify the legitimacy of a server when the intended endpoint is unavailable.
• Five concrete exploitation paths have been demonstrated, affecting services such as gpupdate, Microsoft Edge, WDI host, DHCP client, and Windows Time.
• Microsoft has classified the issue as moderate, declined to assign a CVE, and has not released a patch as of the Black Hat Asia 2026 disclosure.
• Defenders can mitigate risk by enabling ETW‑based RPC monitoring, keeping critical services enabled, and restricting the SeImpersonatePrivilege right to only essential processes.

Overview of PhantomRPC
PhantomRPC is a newly identified architectural vulnerability in the Windows Remote Procedure Call (RPC) subsystem that permits local privilege escalation to SYSTEM‑level access. Discovered by Kaspersky application security specialist Haidar Kabibo and presented at Black Hat Asia 2026, the flaw does not rely on traditional memory corruption or a single‑component logic error. Instead, it abuses a design weakness in how the RPC runtime (rpcrt4.dll) handles connection attempts to RPC servers that are offline or disabled. When a privileged process issues an RPC call to an unavailable service, the runtime proceeds with the call without validating whether the responding server is the genuine one. This opens the door for an attacker controlling a low‑privilege process to supply a malicious RPC server that masquerades as the expected endpoint, intercept the call, and then impersonate the client’s security context.

How the RPC Runtime Enables the Abuse
The core of the exploit hinges on the RpcImpersonateClient API. When a privileged client (e.g., a service running as SYSTEM or Administrator) attempts an RPC call to a server that is not reachable, the RPC runtime still creates a client‑side binding and proceeds with the call. If an attacker has previously registered a fake RPC endpoint that matches the expected interface, the runtime will deliver the call to the hostile server. The malicious server can then invoke RpcImpersonateClient with a high impersonation level, thereby assuming the client’s token. Because many Windows services run under accounts that already possess the SeImpersonatePrivilege right (such as NT AUTHORITY\NETWORK SERVICE and NT AUTHORITY\LOCAL SERVICE), the attacker can leap from a low‑privilege context directly to SYSTEM or Administrator without needing additional privileges.

Five Demonstrated Exploitation Paths
Kaspersky researchers outlined five distinct attack scenarios that illustrate how the vulnerability can be triggered in real‑world environments:

1. gpupdate.exe coercion – Executing gpupdate /force causes the Group Policy Client service (running as SYSTEM) to call the TermService RPC endpoint. If TermService is disabled, an attacker’s fake server intercepts the call and elevates to SYSTEM.

2. Microsoft Edge startup – Launching msedge.exe triggers an RPC call to TermService with a high impersonation level. An attacker awaiting a spoofed TermService endpoint can escalate from Network Service to Administrator without any user interaction beyond starting the browser.

3. WDI background service – The Diagnostic System Host (WdiSystemHost), which runs as SYSTEM, polls TermService every 5–15 minutes for diagnostics. The periodic nature of this call allows an attacker to simply wait for the automatic RPC and hijack it, achieving SYSTEM privileges.

4. ipconfig.exe and DHCP Client – Running ipconfig.exe internally invokes an RPC call to the DHCP Client service. When DHCP is disabled and a malicious RPC server is listening for that interface, a process operating under the Local Service account can impersonate and reach Administrator rights.

5. w32tm.exe and Windows Time – The Windows Time utility first attempts to connect to a named pipe \PIPE\W32TIME. An attacker can expose this pipe without disabling the legitimate W32Time service; any privileged user who runs w32tm.exe will have their token impersonated, granting the attacker escalated privileges.

Each path demonstrates that the flaw can be exploited with minimal prerequisites—often merely requiring a service to be disabled or a predictable RPC call to occur—making the attack surface broad across default Windows installations.

Microsoft’s Response and Lack of Patch
The vulnerability was reported to the Microsoft Security Response Center (MSRC) on September 19, 2025. Microsoft replied twenty days later, classifying the issue as moderate severity. Their rationale centered on the observation that the attack requires the SeImpersonatePrivilege right, which is already granted by default to the Network Service and Local Service accounts. Consequently, Microsoft deemed the risk insufficient to warrant an immediate security update, opted not to assign a CVE identifier, and closed the case without scheduling a fix. As of the Black Hat Asia 2026 presentation, no patch has been released, leaving all supported Windows versions potentially exposed.

Mitigation Strategies and Available Tools
Until Microsoft issues a patch, defenders can adopt several defensive measures:

• Enable ETW‑based RPC monitoring – Capture Event ID 1 (RPC_S_SERVER_UNAVAILABLE) events and correlate them with high impersonation levels from privileged processes. Alerts on such combinations can reveal active exploitation attempts.
• Keep critical services enabled – Where feasible, ensure services like TermService, DHCP Client, and the Windows Time service remain active. Occupying the legitimate endpoints prevents attackers from binding malicious servers to the same interfaces.
• Restrict SeImpersonatePrivilege – Apply the principle of least privilege by removing SeImpersonatePrivilege from unnecessary service accounts, custom applications, and third‑party software. Only retain the right for processes that genuinely require impersonation.
• Network segmentation and application control – Limit the ability of low‑privilege processes to create RPC endpoints on the host, and employ allow‑listing for executables that can register RPC services.

Kaspersky has released the full research toolkit on the PhantomRPC GitHub repository, enabling organizations to scan their environments for exploitable RPC call patterns, test detection rules, and validate mitigations.

Conclusion
PhantomRPC highlights how architectural assumptions in core Windows subsystems can be turned into powerful privilege‑escalation vectors when combined with default service configurations. The fact that five reliable exploitation paths exist—spanning system utilities, user‑facing applications, and background services—underscores the breadth of the risk. While Microsoft’s current stance treats the issue as moderate, the absence of a patch leaves enterprises reliant on proactive monitoring, service hygiene, and privilege restriction to defend against potential attacks. Continuous vigilance, coupled with the tools and guidance provided by the research community, remains essential to mitigate this vulnerability until an official fix is made available.