Windows RPC / Windows Storage patched spoofing flaw (CVE-2025-49760)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-49760 is a Windows RPC / Windows Storage spoofing flaw that Microsoft fixed in July 2025. Researchers showed the bug can be abused through EPM poisoning to register built-in interfaces, impersonate a known server, and coerce RPC clients into trusting an attacker-controlled endpoint. The issue matters because that spoofing path can help leak machine-account NTLM hashes and support privilege escalation.
Related Happenings
SOAPwn research on .NET WSDL proxy abuse enabling file writes and RCE
Technical Analysis
First: 10.12.2025 21:21
Last: 10.12.2025 21:21
Sources 1
About this happening:
Researchers exposed **SOAPwn**, a .NET Framework exploitation path that turns attacker-controlled **WSDL** input and **HTTP client proxies** into **arbitrary file writes** and **r...
SOAPwn research on .NET WSDL proxy abuse enabling file writes and RCE
Technical AnalysisAbout this happening: Researchers exposed **SOAPwn**, a .NET Framework exploitation path that turns attacker-controlled **WSDL** input and **HTTP client proxies** into **arbitrary file writes** and **r...
EDR-Freeze user-mode race condition against Windows Error Reporting and MiniDumpWriteDump
Technical Analysis
First: 22.09.2025 20:07
Last: 22.09.2025 20:07
Sources 1
About this happening:
Researchers demonstrated **EDR-Freeze**, a **user-mode** race condition that can freeze **EDR** and antivirus processes on **Windows 11 24H2**, weakening endpoint defenses without...
EDR-Freeze user-mode race condition against Windows Error Reporting and MiniDumpWriteDump
Technical AnalysisAbout this happening: Researchers demonstrated **EDR-Freeze**, a **user-mode** race condition that can freeze **EDR** and antivirus processes on **Windows 11 24H2**, weakening endpoint defenses without...
Timeline
-
10.08.2025 15:31 1 articles · 9mo ago
SafeBreach discloses CVE-2025-49760 spoofing flaw
Initial DisclosureSafeBreach researcher Ron Ben Yizhak disclosed at DEF CON 33 that CVE-2025-49760 in Microsoft's Windows RPC Endpoint Mapper (EPM) could be abused for spoofing by registering built-in interfaces, impersonating a known server, and coercing clients to authenticate to an attacker-controlled endpoint; Microsoft described the issue as a Windows Storage spoofing bug and said it was fixed in July 2025, while SafeBreach also released RPC-Racer and recommended monitoring RpcEpRegister calls and ETW telemetry.
Show sources
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation — thehackernews.com — 10.08.2025 15:31