Microsoft Declines to Patch 'PhantomRPC' Windows Privilege Escalation Weakness
A researcher disclosed PhantomRPC, a local privilege escalation weakness in Windows RPC that Microsoft declined to patch, calling it a feature not a bug.
A security researcher has disclosed a weakness in Windows Remote Procedure Call (RPC) dubbed PhantomRPC that allows local privilege escalation to SYSTEM. Microsoft has declined to patch the issue, classifying it as a moderate-risk architectural limitation rather than a vulnerability, and refused to assign a CVE identifier.
PhantomRPC exploits the way Windows RPC handles client-server connections. When a high-privileged client attempts to connect to a legitimate RPC server that is unreachable—due to a stopped service, misconfiguration, or race condition—an attacker with SeImpersonatePrivilege can create a fake RPC server using the same interface and endpoint. When the privileged client connects, the attacker can call RpcImpersonateClient to steal its security token and escalate to SYSTEM.
The researcher outlined five exploitation paths, including coercion, user interaction, and background services, warning that potential vectors are "effectively unlimited" because the root cause is architectural. The weakness affects all supported Windows versions.
Microsoft responded by stating that the technique requires an already-compromised machine and does not grant unauthenticated or remote access. The company emphasized its commitment to balancing compatibility and risk, and recommended customers follow security best practices such as limiting administrative privileges and applying least privilege.
Experts disagree with Microsoft's assessment, arguing that the company is downplaying a systemic local privilege escalation technique. Proper mitigation would require deep changes to the RPC architecture, which is difficult without breaking compatibility on existing Windows versions. Some suggest this may be addressed in future Windows releases.
SeImpersonatePrivilege is a permission that allows a process to impersonate a user after login. It is commonly granted to system services and server applications. If an attacker gains this privilege, they can create a fake service and wait for a higher-privileged account to connect, then steal its token to gain SYSTEM access.
For now, defenders must treat PhantomRPC as an ongoing risk. Recommendations include keeping Windows updated, using admin accounts sparingly, employing up-to-date anti-malware solutions, and avoiding blind service hardening that could create gaps for rogue servers.