PhantomRPC: New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions

Cartoonish illustration: Network Service handing RPC cable to Fake RPC Server while SYSTEM shield watches

PhantomRPC is an architectural weakness in the Windows Remote Procedure Call (RPC) runtime that allows low-privileged processes to escalate to SYSTEM or Administrator by impersonating privileged clients. Disclosed by Kaspersky’s Haidar Kabibo at Black Hat Asia 2026, the flaw stems from how rpcrt4.dll handles connections to unavailable RPC servers: when a privileged process attempts an RPC call to a server that is offline or disabled, the RPC runtime can be tricked into accepting a malicious fake server. That fake server can then use RpcImpersonateClient to assume the caller’s identity and gain elevated privileges. The research, presented on April 24, 2026, outlines five concrete exploitation paths and—critically—no patch has been released by Microsoft as of the report.

How PhantomRPC works

PhantomRPC is not a memory corruption bug or a narrow logic error in one component. Instead, it exploits an architectural gap in the RPC runtime’s verification of a responding server. If a legitimate endpoint is absent or disabled, a local attacker can host a spoofed RPC server that mimics the expected endpoint. When a privileged client connects with a high impersonation level, the malicious server can call RpcImpersonateClient and inherit the client’s security context. Because common Windows service accounts such as Network Service and Local Service hold SeImpersonatePrivilege by default, an attacker controlling a process under those accounts can escalate to SYSTEM or Administrator without needing remote code execution.

Five exploitation scenarios

Researchers from Kaspersky outline five practical paths an attacker can use to trigger the vulnerability. Each path relies on the same core abuse — a privileged process making an RPC call to an absent or disabled service that can be spoofed.

gpupdate.exe coercion

Forcing a Group Policy refresh with gpupdate /force causes the Group Policy Client (running as SYSTEM) to call TermService. If TermService is disabled, a fake RPC server can intercept that call and escalate to SYSTEM.

Microsoft Edge startup

When msedge.exe starts, it issues an RPC call to TermService at a high impersonation level. An attacker exposing a spoofed endpoint during startup can escalate from Network Service to Administrator without user interaction.

WDI background service polling

The Diagnostic System Host (WdiSystemHost), which runs as SYSTEM, periodically polls TermService every 5–15 minutes. An attacker only needs to wait for the automated call and can seize the high-privilege context when the legitimate endpoint is unavailable.

ipconfig.exe and DHCP Client

Running ipconfig.exe can generate an internal RPC call to the DHCP Client service. If DHCP is disabled and a malicious RPC server takes the expected endpoint, a Local Service attacker can move up to Administrator.

w32tm.exe and Windows Time

The Windows Time binary first attempts to connect to a named pipe \PIPE\W32TIME. An attacker can expose that endpoint (without disabling the real W32Time service) and impersonate any privileged user who runs the binary.

Microsoft’s response

Kaspersky reported the issue to Microsoft Security Response Center (MSRC) on September 19, 2025. Microsoft replied about 20 days later, classifying the issue as moderate because the attack requires SeImpersonatePrivilege — a privilege already granted by default to Network Service and Local Service. According to Kaspersky’s report, Microsoft did not assign a CVE and closed the case without scheduling a fix. That decision leaves organizations exposed to local privilege escalation scenarios until Microsoft chooses to change its assessment or issue a patch.

Mitigations and recommendations

Enable ETW-based RPC monitoring to detect RPC_S_SERVER_UNAVAILABLE errors (Event ID 1) coupled with high impersonation levels from privileged processes. These signals can indicate attempted hijacks.
Re-enable or avoid disabling services such as TermService where feasible, so legitimate endpoints remain present and cannot be trivially hijacked.
Audit and restrict SeImpersonatePrivilege to the smallest set of processes that truly require it; avoid granting it to custom or third-party applications unnecessarily.
Use Kaspersky’s released PhantomRPC tools (available on their GitHub repository) to scan and audit environments for exploitable RPC call patterns.

What defenders should prioritize now

Immediate priorities are detection and hardening: instrument systems to detect suspicious RPC behavior, restore or keep critical services enabled where possible, and inventory which processes possess SeImpersonatePrivilege. Security teams should also test the organization’s environment with the publicly released PhantomRPC tools to identify where the RPC call patterns line up with the exploitation scenarios Kaspersky described. Because the exploitation is local, endpoint detection and privileged-account hardening are key risk-reduction strategies.

Conclusion

PhantomRPC highlights how architectural assumptions in widely used runtimes can lead to powerful local privilege escalation paths. The vulnerability’s simplicity — exploiting RPC connections to absent endpoints and abusing RpcImpersonateClient — and Microsoft’s current decision not to issue a patch make proactive detection and privilege restriction essential. Organizations should immediately audit RPC-dependent services, tighten impersonation privileges, and use available research tools to assess exposure while watching for any change in Microsoft’s advisory or patch posture.