CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PhantomRPC Local Privilege Escalation in Windows RPC Mechanism Exploited via Impersonation Abuse

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A novel local privilege escalation technique named PhantomRPC has been disclosed, leveraging architectural weaknesses in the Windows Remote Procedure Call (RPC) mechanism to escalate privileges to SYSTEM level across all supported Windows versions. The attack abuses legitimate Windows impersonation mechanisms and RPC server impersonation without runtime verification, allowing attackers to deploy malicious RPC endpoints that mimic legitimate services such as TermService or DHCP Client. Exploitation requires prior compromise of a privileged service account or user context, and can be triggered via scheduled system calls, user actions, or automatic service behavior. The vulnerability introduces a broad attack surface due to the widespread use of RPC in Windows system components and applications.

Timeline

  1. 28.04.2026 14:31 1 articles · 2h ago

    PhantomRPC: Unpatched Privilege Escalation Technique in Windows RPC Exploited via Impersonation Abuse

    Kaspersky researcher Haidar Kabibo disclosed PhantomRPC, a local privilege escalation technique exploiting architectural weaknesses in Windows RPC and impersonation mechanisms. The technique enables elevation to SYSTEM level by deploying malicious RPC servers that mimic legitimate services such as TermService, DHCP Client, or Windows Time service endpoints. Attack paths include intercepting calls from Group Policy service, Edge browser, WDI service (every 5–15 minutes), and administrator-run tools like ipconfig or w32tm.exe. Microsoft assessed the issue as moderate severity and does not plan immediate remediation due to required impersonation privileges and exploitation prerequisites.

    Show sources
    Open in new tab

Information Snippets

  • PhantomRPC is a local privilege escalation technique exploiting an architectural flaw in Windows RPC, enabling elevation to SYSTEM privileges on all Windows versions.

    First reported: 28.04.2026 14:31
    1 source, 1 article
    Show sources

  • The flaw abuses Windows impersonation levels and the absence of RPC server identity verification, allowing attackers to deploy malicious RPC servers with the same endpoints as legitimate services.

    First reported: 28.04.2026 14:31
    1 source, 1 article
    Show sources

  • Exploitation scenarios include intercepting RPC calls from the Group Policy service, Edge browser startup, or DHCP Client service calls to TermService, redirecting them to attacker-controlled RPC servers.

    First reported: 28.04.2026 14:31
    1 source, 1 article
    Show sources

  • Kaspersky reported the issue to Microsoft in September 2025; Microsoft classified it as moderate severity due to required impersonation privileges and does not plan immediate remediation.

    First reported: 28.04.2026 14:31
    1 source, 1 article
    Show sources

  • Attack paths also involve the Windows Time service (w32tm.exe) and the Diagnostic System Host Service (WDI), with the latter triggering calls every 5–15 minutes automatically.

    First reported: 28.04.2026 14:31
    1 source, 1 article
    Show sources

  • Successful exploitation requires compromised access to a service running under Local Service or Network Service accounts, or a high-privileged user context.

    First reported: 28.04.2026 14:31
    1 source, 1 article
    Show sources