PhantomRPC: Unpatched Windows Flaw Enables SYSTEM Escalation

A design weakness in Windows Remote Procedure Call allows attackers to escalate privileges to SYSTEM on every Windows version. Microsoft has declined to fix it.

Kaspersky researcher Haidar Kabibo disclosed PhantomRPC at Black Hat Asia on April 24, 2026, after Microsoft's Security Response Center classified the vulnerability as "moderate severity" and closed the case without issuing a patch or CVE.

The flaw exploits how Windows RPC handles connections to unavailable servers. When legitimate services aren't running, attackers can impersonate them and hijack authentication from high-privilege processes.

How PhantomRPC Works

Windows Remote Procedure Call enables inter-process communication across the operating system. Applications use RPC to request services from other processes, often crossing privilege boundaries.

The vulnerability emerges when a privileged process — running as SYSTEM or Administrator — attempts to connect to an RPC server that isn't available. Windows RPC runtime doesn't verify that the responding server is legitimate.

An attacker with SeImpersonatePrivilege can:

1. Identify an RPC endpoint that privileged processes call but that isn't currently active
2. Register a fake server at that endpoint
3. Wait for a privileged process to connect
4. Call RpcImpersonateClient to assume the caller's security context

The privileged process effectively hands its identity to the attacker's fake server.

Five Exploitation Paths

Kabibo's research demonstrates five distinct scenarios for escalating from low-privilege service accounts to SYSTEM or Administrator:

Group Policy Coercion — Running gpupdate /force triggers the Group Policy service (SYSTEM) to contact TermService. If TermService is disabled, attackers can impersonate it and capture SYSTEM credentials.

Microsoft Edge Browser — Launching Edge triggers automatic TermService RPC calls at the user's privilege level. An admin user opening Edge can have their credentials captured without any coercion commands.

Diagnostic System Host — The WDI background service makes periodic RPC calls to TermService every 5-15 minutes under SYSTEM context. Attackers simply wait.

DHCP Client — Disabling DHCP and running ipconfig.exe from an admin account creates an escalation path from Local Service to Administrator.

Windows Time Service — The w32tm.exe tool attempts connections to nonexistent pipe endpoints that attackers can expose, escalating from Local Service to Administrator.

Microsoft's Response

Kaspersky submitted the vulnerability to MSRC on September 19, 2025. Microsoft responded October 10, 2025, classifying it as moderate severity.

The rationale: exploitation requires SeImpersonatePrivilege, which Microsoft considers a privileged starting point. Network Service and Local Service accounts hold this privilege by default, but Microsoft views compromise of these accounts as already representing elevated access.

No CVE was assigned. The case was closed without a scheduled fix.

This isn't the first time Microsoft has declined to address RPC-related issues. The PrintNightmare saga demonstrated similar tensions between reported vulnerabilities and Microsoft's severity assessments.

Why SeImpersonatePrivilege Matters

Microsoft's position isn't unreasonable in isolation. If you already have SeImpersonatePrivilege, you've compromised something — a web server, a service account, something running with that privilege.

But the privilege is surprisingly common. IIS application pools, SQL Server service accounts, and numerous Windows services run with SeImpersonatePrivilege by default. Web application vulnerabilities that compromise these contexts suddenly become SYSTEM escalation paths.

The potato family of exploits (JuicyPotato, PrintSpoofer, etc.) already abuse similar patterns. PhantomRPC adds another technique to that toolkit.

Affected Systems

Kabibo confirmed exploitation on Windows Server 2022 and Windows Server 2025 with current patches. The architectural nature of the flaw likely affects all Windows versions using the same RPC runtime design.

No patch exists. No CVE tracks the issue. Defenders are working with full disclosure but no vendor remediation.

Mitigation Options

Since Microsoft won't patch, defenders must implement compensating controls:

Keep RPC services running — If legitimate services are active, attackers can't register fake endpoints. Ensure TermService and other commonly targeted services remain enabled.

Restrict SeImpersonatePrivilege — Limit which accounts hold this privilege. Review service account configurations and application pool identities.

Monitor RPC failures — ETW events can reveal RPC connection failures to unavailable servers. Unusual patterns may indicate exploitation attempts.

Endpoint detection — The Kaspersky research repository includes defensive tooling for identifying exploitation attempts.

Network segmentation — Limit what compromised service accounts can reach. Even with SYSTEM on one host, lateral movement should hit barriers.

The Responsible Disclosure Debate

Kaspersky followed coordinated disclosure: submit to vendor, wait for response, publish after vendor action or reasonable timeline. Microsoft's closure of the case without remediation triggered the public disclosure.

This pattern has become increasingly common. Security researchers report issues; vendors decline to fix; researchers publish anyway. The result: defenders learn about vulnerabilities without official mitigations.

Whether this serves security goals depends on perspective. Users gain awareness of risks. Attackers gain exploitation techniques. Neither has vendor-provided fixes.

Why This Matters

PhantomRPC demonstrates that architectural vulnerabilities in foundational Windows components may never be fixed if vendors don't consider them severe enough. The privilege requirement becomes a gate that screens out attention even when real-world attack paths exist.

For pentesters and red teams, this is another privilege escalation technique to add to the toolkit. For defenders, it's another gap to compensate around without vendor support.

The Windows RPC subsystem handles billions of inter-process calls daily across enterprise environments. A design flaw at that layer isn't going away. The question becomes whether defenders can build sufficient controls around an unfixed foundation — and for how long.

Kabibo's full technical writeup and tools are available for security teams investigating potential exposure.