{"id":11289,"date":"2026-04-28T12:00:49","date_gmt":"2026-04-28T12:00:49","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/no-fix-available-yet-for-new-phantomrpc-privilege-escalation-vulnerability-in-windows\/"},"modified":"2026-04-28T12:00:49","modified_gmt":"2026-04-28T12:00:49","slug":"no-fix-available-yet-for-new-phantomrpc-privilege-escalation-vulnerability-in-windows","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/no-fix-available-yet-for-new-phantomrpc-privilege-escalation-vulnerability-in-windows\/","title":{"rendered":"No Fix Available Yet for New PhantomRPC Privilege Escalation Vulnerability in Windows"},"content":{"rendered":"<p>A newly discovered vulnerability in the Windows Remote Procedure Call (RPC) system\u2014termed &quot;PhantomRPC&quot;\u2014opens the door for attackers to escalate their privileges to System level, as detailed by Kaspersky researchers. This issue affects all versions of Windows and exploits the RPC mechanism, which is intended for processes to communicate and invoke functions in other processes. The vulnerability originates from an architectural weakness that permits processes relying on RPC to become potential paths for privilege escalation.<\/p>\n<p>In the Windows environment, RPC operates on a client-server model that allows processes to impersonate others based on certain privileges, often granted to services running under Local Service and Network Service accounts. However, the RPC runtime fails to authenticate the RPC servers, allowing malicious actors to set up counterfeit RPC servers that mimic legitimate services.<\/p>\n<p>To exploit the PhantomRPC vulnerability, attackers first compromise a privileged service, then deploy a fake RPC server to listen for RPC requests. When a legitimate service attempts a call to the impersonated service, the attacker can seize the opportunity to elevate their privileges directly.<\/p>\n<p>One method involves an attacker using a compromised service running under the Network Service account to create a fake RPC server representing the default Remote Desktop service, TermService. By triggering a Group Policy service\u2014operating with System privileges\u2014to make an RPC call to TermService, the attacker can elevate their access to System level.<\/p>\n<p>Researcher Haidar Kabibo identified multiple exploitation paths, emphasizing the considerable attack surface this vulnerability presents due to numerous system DLLs in Windows reliant on RPC. For instance, when users launch Microsoft Edge, which also interacts with TermService, an attack can intercept that interaction to elevate privileges without the user&#8217;s knowledge.<\/p>\n<p>Additionally, local service accounts provide further avenues for privilege escalation. For example, the DHCP Client service and Windows Time service are both able to interact through RPC, and an attacker could exploit these interactions by crafting their fake RPC servers. In some scenarios, the attackers do not even need to disable the legitimate services; they merely need to manipulate the interactions through RPC calls to redirect to their malicious servers.<\/p>\n<p>Kaspersky initially reported this issue in September 2025, and while Microsoft has categorized it as a moderate threat because of the requisite impersonation privilege, they have not stated that immediate action is necessary.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A newly discovered vulnerability in the Windows Remote Procedure Call (RPC) system\u2014termed &quot;PhantomRPC&quot;\u2014opens the door for attackers to escalate their privileges to System level, as detailed by Kaspersky researchers. This issue affects all versions of Windows and exploits the RPC mechanism, which is intended for processes to communicate and invoke functions in other processes. The [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":11290,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11289","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/11289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=11289"}],"version-history":[{"count":0,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/11289\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/11290"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=11289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=11289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=11289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}