A Kaspersky researcher discovered PhantomRPC, an unpatched architectural flaw in Windows' Remote Procedure Call (RPC) mechanism that enables privilege escalation. The vulnerability allows an attacker with limited local access to deploy a malicious RPC server impersonating legitimate Windows services, then intercept connections from higher-privileged processes to escalate to SYSTEM or administrator level. Five distinct exploit paths exist, all rooted in the same architectural issue. Microsoft classified the flaw as only 'moderate severity' and closed the case without issuing a CVE or patch, citing the requirement for SeImpersonatePrivilege as a prerequisite. PoC code is publicly available on GitHub. Defenders are advised to implement Event Tracing for Windows-based monitoring and restrict SeImpersonatePrivilege to only strictly necessary processes.
Sort: