Windows EPM Poisoning Exploit Chain Enables Domain Privilege Escalation
Summary
Hide β²
Show βΌ
A now-patched vulnerability in Microsoft's Windows Remote Procedure Call (RPC) communication protocol, tracked as CVE-2025-49760, allowed attackers to perform spoofing attacks and impersonate known servers. This flaw enabled unprivileged users to achieve local/domain privilege escalation through an EPM poisoning attack. The exploit chain involved manipulating the Endpoint Mapper (EPM) to redirect RPC clients to malicious servers, leading to credential theft and privilege escalation. The vulnerability was disclosed by SafeBreach researcher Ron Ben Yizhak at DEF CON 33. Microsoft fixed the issue in July 2025 as part of its monthly Patch Tuesday update. The attack leveraged the lack of security checks in the EPM, allowing attackers to register interfaces of core services and hijack RPC communications.
Timeline
-
10.08.2025 15:31 π° 1 articles Β· β± 1mo ago
EPM Poisoning Exploit Chain in Windows RPC Disclosed
A vulnerability in Windows RPC, tracked as CVE-2025-49760, allows EPM poisoning attacks that enable unprivileged users to impersonate legitimate servers and redirect RPC clients. The exploit chain involves manipulating the EPM to register interfaces of core services and hijack RPC communications, leading to credential theft and privilege escalation. The vulnerability was disclosed by SafeBreach researcher Ron Ben Yizhak at DEF CON 33 and was patched by Microsoft in July 2025. The attack can also be expanded to conduct AitM and DoS attacks.
Show sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
Information Snippets
-
The vulnerability, CVE-2025-49760, is a Windows Storage spoofing bug with a CVSS score of 3.5.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
-
The exploit chain involves manipulating the Endpoint Mapper (EPM) to perform EPM poisoning attacks.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
-
EPM poisoning allows unprivileged users to impersonate legitimate RPC servers and redirect RPC clients.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
-
The attack leverages the lack of security checks in the EPM, enabling attackers to register interfaces of core services.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
-
The exploit chain can lead to credential theft and privilege escalation through an ESC8 attack.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
-
SafeBreach released a tool called RPC-Racer to flag insecure RPC services and manipulate Protected Process Light (PPL) processes.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
-
The attack sequence involves creating a scheduled task, registering the interface of the Storage Service, and triggering the Delivery Optimization service to connect to a malicious server.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
-
The Delivery Optimization service authenticates with a malicious SMB server, leaking the NTLM hash.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
-
The EPM poisoning technique can be expanded to conduct adversary-in-the-middle (AitM) and denial-of-service (DoS) attacks.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
-
Security products can monitor calls to RpcEpRegister and use Event Tracing for Windows (ETW) to detect these attacks.
First reported: 10.08.2025 15:31π° 1 source, 1 articleShow sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation β thehackernews.com β 10.08.2025 15:31
Similar Happenings
Phoenix Rowhammer attack bypasses DDR5 Rowhammer defenses
A new Rowhammer attack variant, called Phoenix, bypasses the latest protection mechanisms on DDR5 memory chips from SK Hynix. This attack exploits vulnerabilities in the Target Row Refresh (TRR) mechanism to flip bits in memory, enabling privilege escalation and unauthorized access. The attack was developed by researchers at ETH Zurich University and Google, and it affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The Phoenix attack can corrupt data, increase privileges, execute malicious code, or access sensitive data. It works by repeatedly accessing specific rows of memory cells to cause electrical interference, altering nearby bits. The attack is tracked as CVE-2025-6202 and has been assigned a high-severity score. The researchers demonstrated the attack's effectiveness by successfully flipping bits on all 15 DDR5 memory chips in their test pool, achieving root privileges in under two minutes. They also showed that the attack can break SSH authentication and alter system binaries to escalate local privileges. The researchers recommend increasing the refresh rate to 3x to mitigate the Phoenix attack.
Active exploitation of CVE-2025-5086 in DELMIA Apriso
CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.
Microsoft's RC4 Encryption Vulnerability Exploited in Black Basta Ransomware Attack on Ascension
U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's cybersecurity practices, citing the company's support for RC4 encryption and insecure default settings that facilitated a ransomware attack on the Ascension healthcare network. The attack, attributed to the Black Basta ransomware group, compromised nearly 5.6 million individuals' personal and medical information. The breach occurred when a contractor's system was infected via a malicious link on Microsoft's Bing search engine. Attackers exploited insecure default settings and Kerberoasting techniques to gain elevated access to Ascension's network. Microsoft has acknowledged the vulnerabilities and plans to deprecate RC4 support in future updates. Wyden has criticized Microsoft for not clearly warning customers about the risks associated with RC4 encryption and for not taking decisive action to mitigate security risks.
Akira Ransomware Group Exploits SonicWall SSL VPN Flaws
The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.
Cursor AI editor autoruns malicious code in repositories
A flaw in the Cursor AI code editor allows malicious repositories to execute arbitrary code automatically when opened. This vulnerability can lead to malware installation, environment hijacking, and credential theft. Cursor, an AI-powered IDE based on Visual Studio Code, disables the Workspace Trust feature by default, allowing this behavior. The flaw affects one million users who generate over a billion lines of code daily. Cursor developers have decided not to fix the issue, citing the need to maintain AI and other features. The vulnerability is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding and reasoning agents, which can embed malicious instructions to perform harmful actions or leak data.