Unpatched PhantomRPC Flaw in Windows Enables Privilege Escalation TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsCyber RiskRemote WorkforceApplication SecurityNewsUnpatched 'PhantomRPC' Flaw in Windows Enables Privilege EscalationA researcher discovered five different exploit paths that stem from an architectural weakness in how Windows' Remote Procedure Call (RPC) mechanism handles connections to unavailable services.Elizabeth Montalbano,Contributing WriterApril 27, 20264 Min ReadSource: Sergey Tarasov via Alamy Stock PhotoAn unpatched vulnerability can allow for privilege escalation across Windows systems through the abuse of the Remote Procedure Call (RPC) architecture in Microsoft's OS.Called PhantomRPC, the flaw stems from an architectural weakness in how RPC handles connections to unavailable services, according to Haidar Kabibo, a middle application security specialist at Kaspersky who discovered the flaw and shared his findings in a recent post on X and in a blog post published Friday. By exploiting the flaw, an attacker with limited local access can deploy a malicious RPC server that impersonates legitimate Windows services. In this way, when higher-privileged processes connect to the server, the attacker can impersonate them to escalate privileges to SYSTEM or administrator levels."The operating system permits the deployment RPC servers using the same endpoint assigned to RPC servers exposed by legitimate services, provided that those services are not running," Kabibo tells Dark Reading. "This behavior enables any process to deploy an RPC server that mimics a legitimate service and receive all the RPC client calls originally intended for the authentic server." If some of these calls originate from highly privileged accounts, and the hosting process possesses the "SeImpersonatePrivilege," a low-privileged process may impersonate such clients and thereby escalate its privileges, he says, describing it in his X post as "an architecture problem." "The Microsoft Windows operating system is designed to run with multiple user accounts, each having different privileges inside the system," Kabibo explains, citing two examples of low-privilege accounts as Network Service and Local Service, which are restricted service accounts. "If an attacker gains a foothold in services running under these identities and exploits the bug presented in the research, they may be able to escalate their privileges from these low-privileged accounts to the SYSTEM level and gain control of the entire operating system."Related:Cyber Espionage Group Targets Aviation Firms to Steal Map DataNo Patch Despite Various Exploit PathsWindows' RPC is an architecture-level mechanism for communication between two processes, enabling one process to invoke functions that are implemented in another process, even though they are running in different execution contexts. Kaspersky disclosed the flaw to Microsoft via a 10-page technical report last September. In October, Microsoft assessed the flaw to be of only "moderate severity" and ineligible for a bounty, and did not issue a CVE. Moreover, "the case was closed without further tracking," Kabibo wrote in the post.Related:Why Security Leadership Makes or Breaks a Pen Test"Microsoft explained that the moderate severity classification was due to the requirement that the originating process had to already possess the SeImpersonatePrivilege privilege," he wrote. "Since this privilege was typically required for the attack to succeed, Microsoft determined that the issue did not require immediate remediation."Despite this assessment, Kabibo said there are five exploit paths for abusing the flaw, which he outlined in detail in his post. A Microsoft spokesperson provided the following statement to Dark Reading:"We appreciate the work of Kaspersky in identifying and responsibly reporting this issue through a coordinated vulnerability disclosure. This technique requires an already-compromised machine and does not grant unauthenticated or remote access. Any update is a balance between existing compatibility and customer risk, and we remain committed to continually hardening our products. We recommend customers follow security best practices, including limiting administrative privileges and applying the principle of least privilege."Kabibo tested his proof-of-concept (PoC) exploits on Windows Server 2022 and Windows Server 2025 with the latest available updates prior to the date he submitted the flaw to Microsoft in September. "However, it is highly likely that this issue may also be exploitable on other Windows versions," he wrote.Related:How Dark Reading Lifted Off the Launchpad in 2006The PoCs can be found in a GitHub repository.The scenarios for exploitation differ by which processes are used to elevate privileges, but all of them stem from the architectural issue inherent in RPC. What this basically means is that any process that can register an RPC endpoint and receive a privileged connection can transform that into a SYSTEM token, elevating an attacker's privileges on a Windows system, according to Kaspersky.Defenders Are on Their OwnPrivilege escalation remains a huge concern for Windows defenders; in fact, more than half of the 165 vulnerabilities patched by Microsoft in April were this type of vulnerability.With no fix for PhantomRCP forthcoming, the countless organizations that use Windows systems are on their own to mitigate the issue. To help guide them, Kaspersky advised organizations take a couple of fundamental steps to protect themselves from exploitation of the flaw.One is to implement Event Tracing for Windows-based monitoring, which allows defenders to identify RPC exceptions within their environment, particularly cases where RPC clients attempt to connect to unavailable servers. Monitoring such events can help administrators detect situations in which legitimate RPC servers are expected but not running, Kabibo said. "In some cases, the attack surface may be reduced by enabling the corresponding services, ensuring that the legitimate RPC endpoint is available," he wrote. "This can hinder attackers from deploying malicious RPC servers that imitate legitimate endpoints."The second way to avoid compromise through exploitation is to limit the use of SeImpersonatePrivilege only to processes that strictly require it rather than to custom or third-party processes that are sometimes granted access, which, Kabibo wrote, "is generally not considered good security practice."This story was updated at 3:30 p.m. EST on April 27 to reflect a statement provided by Microsoft.About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The Digital Business Combine, comprised of TechTarget and Informa TechTarget, operates a comprehensive network of over 220 online properties, covering more than 10,000 granular topics and serving an audience of over 50 million professionals. This expansive network, as detailed by Elizabeth Montalbano in a Dark Reading article published on April 27, 2026, aims to provide critical insights and informed decision-making across diverse business priorities. The piece highlights a newly discovered vulnerability, termed “PhantomRPC,” within Windows’ Remote Procedure Call (RPC) mechanism. This flaw, identified by Kaspersky specialist Haidar Kabibo, allows for privilege escalation by an attacker with limited local access to deploy a malicious RPC server that mimics legitimate Windows services.

The core of the vulnerability lies in the RPC architecture’s handling of connections to unavailable services. Kabibo’s research uncovered five distinct exploit paths stemming from this architectural weakness. Essentially, an attacker can deploy an RPC server that impersonates a legitimate service, enabling it to intercept RPC client calls originating from highly privileged accounts and elevate its own privileges to SYSTEM or administrator levels, particularly leveraging the “SeImpersonatePrivilege” privilege. Kaspersky had previously disclosed this vulnerability to Microsoft in September, but the issue was categorized as ‘moderate severity’ and deemed ineligible for a bounty, leading to a case closure without further tracking.

Despite Microsoft’s initial assessment, Kabibo demonstrated five operational exploit paths, testing them on Windows Server 2022 and 2025 with the latest updates. The flaw necessitates that the originating process already possesses the “SeImpersonatePrivilege” privilege for the attack to succeed. Microsoft’s response acknowledged the issue, emphasizing the balance between compatibility and customer risk, and reaffirmed its commitment to continuous product hardening. They recommended standard security best practices, including limiting administrative privileges and applying the principle of least privilege, as recommended by Kabibo.

The PhantomRPC vulnerability presents a significant concern, representing more than half of the 165 vulnerabilities patched by Microsoft in April. Without a forthcoming fix, organizations utilizing Windows systems are responsible for mitigating the risk. Kaspersky advised implementing Event Tracing for Windows-based monitoring to detect RPC exceptions, particularly when clients attempt to connect to unavailable servers; this can reduce the attack surface. Furthermore, minimizing the usage of “SeImpersonatePrivilege” to only processes requiring it is recommended. The research showcased in a GitHub repository, highlights the critical architectural flaw that allows the transformation of a low-privilege RPC connection into a SYSTEM token, granting an attacker complete control over a Windows system.