Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation
An unpatched architectural flaw in Windows RPC, dubbed PhantomRPC, allows low-privileged attackers to escalate to SYSTEM by impersonating legitimate services.
An unpatched architectural flaw in Windows Remote Procedure Call (RPC), dubbed PhantomRPC, allows attackers with limited local access to escalate privileges to SYSTEM or administrator level. Discovered by Kaspersky researcher Haidar Kabibo, the vulnerability exploits how Windows RPC handles connections to unavailable services, enabling a low-privileged process to deploy a malicious RPC server that impersonates legitimate Windows services.
According to Kabibo, the operating system permits any process to register an RPC server using the same endpoint assigned to a legitimate service when that service is not running. This allows a malicious server to receive all RPC client calls intended for the authentic service. If those calls originate from highly privileged accounts and the hosting process possesses the SeImpersonatePrivilege, the attacker can impersonate those clients and escalate privileges to SYSTEM.
Kabibo demonstrated five exploit paths on Windows Server 2022 and Windows Server 2025 with the latest available updates as of September 2025, when the flaw was disclosed to Microsoft. He noted that the issue is likely exploitable on other Windows versions as well. Proof-of-concept exploits are available on GitHub.
Microsoft assessed the flaw as moderate severity and declined to issue a CVE or patch, stating that the attack requires the SeImpersonatePrivilege. In a statement, a Microsoft spokesperson said, "This technique requires an already-compromised machine and does not grant unauthenticated or remote access. Any update is a balance between existing compatibility and customer risk, and we remain committed to continually hardening our products."
Kaspersky advised organizations to implement Event Tracing for Windows-based monitoring to detect RPC exceptions, particularly when RPC clients attempt to connect to unavailable servers. Enabling the corresponding legitimate services can also reduce the attack surface by ensuring the authentic RPC endpoint is available. Additionally, limiting the use of SeImpersonatePrivilege only to processes that strictly require it can help prevent exploitation.
Privilege escalation remains a major concern for Windows defenders; more than half of the 165 vulnerabilities patched by Microsoft in April 2026 were of this type. With no fix forthcoming, organizations must rely on monitoring and least-privilege practices to defend against PhantomRPC attacks.