Unpatched ‘PhantomRPC’ Vulnerability Allows Local Privilege Escalation on Windows

Cybersecurity researchers have disclosed a critical Windows flaw that could enable attackers to escalate privileges and gain unauthorized access to sensitive systems. The issue could allow low-privileged users to elevate their permissions and potentially take full control of affected machines.

According to a new report from Kaspersky, this technique, dubbed PhantomRPC, exploits a fundamental design weakness in Windows Remote Procedure Call (RPC) architecture rather than a conventional software bug or memory vulnerability.

Windows Remote Procedure Call (RPC) is a core communication mechanism that allows applications and services to exchange data and request actions across different processes, often running under different privilege levels. It operates on a client-server model, where one process requests a function and another executes it.

Researchers found that attackers can abuse this architecture by registering a malicious RPC server that mimics a legitimate Windows service when the real service is unavailable. This can trick higher-privileged processes into connecting to the rogue server. Once connected, attackers may impersonate the privileged client and escalate their access to SYSTEM-level privileges, potentially gaining full control over the affected machine.

Why PhantomRPC remains a persistent risk for Windows environments?

The research demonstrates five different exploitation paths, which show that privilege escalation can occur from various low-privileged service contexts. Some paths require user interaction, others rely on background services or coercion. PhantomRPC originates from architectural behavior rather than a single vulnerable component, so the number of possible attack vectors is effectively unlimited. Any new or existing Windows service that relies on RPC could potentially become an entry point.

Kaspersky responsibly disclosed the issue to Microsoft. However, Microsoft classified it as a design-level concern and has not released a patch or assigned a CVE, which leaves the technique unpatched at the time of publication.

Recommended mitigations for organizations

Organizations should focus on reducing exposure and improving visibility, since PhantomRPC is rooted in Windows architecture rather than a single patchable flaw. They should avoid unnecessary disabled services, as attackers rely on legitimate RPC services being unavailable to impersonate them. Moreover, organizations must limit the use of privileges like SeImpersonatePrivilege to only essential services to significantly reduce the risk of privilege escalation.

Additionally, organizations should strengthen monitoring and detection around RPC activity. They should log and alert on unusual RPC connection failures, repeated attempts to reach unavailable services, or unexpected RPC servers being registered to identify abuse early. Organizations are also advised to keep systems hardened, regularly review service configurations, and apply defense-in-depth strategies to mitigate the impact of architectural weaknesses that cannot be easily fixed with updates.