The Unpatched Pivot: New RPC Flaw Opens Doors for Windows Privilege Escalation
Ddos 
A new research report from Kaspersky Security Services has pulled back the curtain on a fundamental architectural weakness within the Remote Procedure Call (RPC) mechanism (called PhantomRPC)—the very heart of how Windows processes talk to one another.
The discovery is a “novel local privilege escalation technique” that affects all versions of the Windows operating system, allowing attackers to leap from restricted service accounts to full SYSTEM level control.
The vulnerability stems from the sheer complexity of the Windows RPC ecosystem. Because RPC serves as the underlying transport layer for nearly all advanced communication within the OS, it has long been a “rich source of security issues”.
This new method differs significantly from the well-known “Potato” family of exploits. Instead of relying on specific service flaws, it exploits how processes with existing impersonation privileges can be coerced or tricked into elevating their permissions.
The researcher warns of the scale of the risk: “As this issue stems from an architectural weakness, the number of potential attack vectors is effectively unlimited; any new process or service that depends on RPC could introduce another possible escalation path”.
After identifying the vulnerability, researchers submitted a detailed 10-page technical report to the Microsoft Security Response Center (MSRC).
However, Microsoft opted not to issue an immediate patch or assign a CVE. Their assessment classified the severity as “moderate” rather than high, citing a specific prerequisite for the attack.
As detailed in the report, “Microsoft explained that the moderate severity classification was due to the requirement that the originating process had to already possess the SeImpersonatePrivilege privilege. Since this privilege was typically required for the attack to succeed, Microsoft determined that the issue did not require immediate remediation”.
To prove the gravity of the flaw, the researchers demonstrated five distinct exploitation paths. These range from taking advantage of background services to “coercion” techniques that don’t even require the legitimate Windows Time service to be disabled.
In one scenario, an attacker simply exposes a malicious RPC server at a nonexistent endpoint that a target executable is already attempting to reach. If the call is performed with a high impersonation level, the attacker can seamlessly escalate privileges from a Local Service account to a full Administrator account.
With no official patch on the horizon, the burden of defense shifts to administrators. The research suggests that the most critical line of defense is monitoring and restricting accounts that hold the SeImpersonatePrivilege—often granted to service accounts by default.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
