Kaspersky researcher Haidar Kabibo discovered an architectural weakness in Windows RPC, named PhantomRPC, that allows attacker-deployed fake RPC servers to impersonate privileged services and elevate privileges to System. The flaw affects multiple Windows components and services (including TermService, Group Policy, DHCP Client, Windows Time, WDI, and Network/Local Service accounts), creating numerous local privilege escalation paths that can be triggered with minimal user interaction. #PhantomRPC #TermService
Keypoints
- PhantomRPC is an architectural defect in Windows RPC that permits fake RPC servers to impersonate other processes.
- Attackers must compromise a privileged service and expose matching RPC endpoints to intercept and impersonate RPC requests.
- Notable exploitation paths include abusing Network Service (TermService via Group Policy or Edge) and Local Service (DHCP Client, Windows Time) accounts.
- The RPC runtime does not verify servers and many system DLLs rely on RPC, widening the potential attack surface.
- Kaspersky disclosed the issue in September 2025 and Microsoft rated it moderate, citing the required impersonation privilege.
Read More: https://www.securityweek.com/no-patch-for-new-phantomrpc-privilege-escalation-technique-in-windows/