PHANTOMRPC describes a privilege escalation technique in Windows RPC that enables a process with impersonation privileges to elevate to SYSTEM across all Windows versions. The research demonstrates five exploitation paths, including coercing the Group Policy service and scenarios where a malicious RPC server mimics TermService, or where user actions or background services trigger high-impersonation RPC calls.
Attacks can occur when the Group Policy Client service or other system components attempt to connect to an RPC server using impersonation, potentially allowing RpcImpersonateClient to escalate privileges from Network Service or Local Service to SYSTEM or Administrator.
Microsoft did not classify the issue as high severity, instead calling it moderate, and no CVE was issued; the vulnerability disclosure timeline notes that the MSRC response indicated moderate severity and the case was closed without further tracking. For defenders, the piece recommends ETW-based monitoring to detect RPC call failures to unavailable servers and advises reducing the use of SeImpersonatePrivilege where it is unnecessary.
According to the Microsoft Security Response Center, the case was assessed as moderate severity and patching was not pursued as an immediate priority. 24 April 2026.