EPM Poisoning (CVE-2025-49760): New Windows RPC Exploit Hijacks Services, Allowing Full Active Directory Compromise, PoC Releases
Do Son 
Security researcher Ron Ben Yizhak from SafeBreach Labs has uncovered a novel attack technique dubbed Endpoint Mapper (EPM) Poisoning, which exploits a core weakness in the Windows Remote Procedure Call (RPC) protocol. The vulnerability, now tracked as CVE-2025-49760, was patched by Microsoft on July 8, 2025, but its potential impact on unpatched systems is severe — ranging from machine account credential theft to Active Directory domain compromise.
The research began with a simple question: could a technique similar to DNS poisoning be applied to the RPC endpoint mapper? According to Ben Yizhak:
“I quickly discovered a serious security issue in a core component of the Windows RPC protocol. Specifically, this vulnerability revealed that there was no verification process to stop unprivileged users from posing as a well-known RPC server.”
In essence, if an attacker could register with the EPM before a legitimate service did, they could hijack the interface and masquerade as a trusted RPC server. The EPM would then route client requests to the attacker’s rogue service — without requiring administrative privileges.
To prove the exploit’s viability, Ben Yizhak created RPC-Racer, a tool designed to detect insecure RPC services, register rogue interfaces, and capture connections from high-privilege processes.
One critical finding was that delayed-start services — which register their interfaces after system boot — are prime targets. By “racing” to register the interface first, RPC-Racer could intercept connections from privileged services, including Protected Process Light (PPL) processes.
The breakthrough came with the Storage Service interface, which is used by the Windows Delivery Optimization service. This highly privileged service, when tricked into connecting to the attacker’s endpoint, would call a method returning a file path.
By manipulating the GetStorageDeviceInfo response, the attacker could force the service to access an SMB share they controlled, triggering authentication with the machine account credentials.
“I could bypass the limitation applied on logged on users and authenticate with the machine account… I just successfully crossed the security boundary,” the researcher writes.
Once the machine account credentials were captured, Ben Yizhak demonstrated an ESC8 Active Directory Certificate Services (ADCS) attack:
Relay NTLM authentication from the Delivery Optimization service to an ADCS web enrollment server.
- Obtain a certificate for the machine account.
- Use the certificate to request a Kerberos Ticket Granting Ticket (TGT).
- Dump all domain controller secrets via Impacket’s secretsdump tool.
This chain effectively enables full domain compromise starting from a medium-integrity user account.
Microsoft addressed the flaw by modifying the Storage Service RPC client (StorageUsage.dll) to enforce security Quality of Service (QOS) — ensuring it only connects to RPC servers running as Local System.
SafeBreach recommends:
- Monitoring calls to
RpcEpRegisterfor suspicious interface registrations. - Leveraging Event Tracing for Windows (
Microsoft-Windows-RPCprovider) to detect cases where unknown processes receive RPC connections on known interfaces. - Applying the Microsoft patch immediately.
Related Posts:
- CVE-2024-5480 (CVSS 10): Critical RCE Vulnerability in PyTorch Distributed RPC Framework
- Microsoft 365 Boosts Security: Legacy File Access Protocols RPS & FrontPage RPC Phased Out July 2025
- Ivanti Issues Patch for Critical Vulnerabilities in Endpoint Manager, Including CVE-2024-29847 (CVSS 10.0)
- CVE-2023-34966: high-severity vulnerability in Samba
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
