AN unpatched vulnerability dubbed PhantomRPC could allow privilege escalation across Windows systems by abusing how the Remote Procedure Call architecture handles connections to unavailable services. A researcher, Haidar Kabibo, disclosed five different exploit paths that stem from this architectural weakness in RPC, sharing his findings in a post on X and in a blog published on Friday.
By exploiting the flaw, an attacker with limited local access can deploy a malicious RPC server that impersonates legitimate Windows services, enabling impersonation of higher-privileged processes and escalation to SYSTEM or administrator levels. Kabibo described the issue as an architecture problem and noted that if the hosting process has SeImpersonatePrivilege, a low-privileged process may gain higher privileges.
With no patch forthcoming, Microsoft’s initial assessment of moderate severity and therefore no immediate remediation remains disputed by Kabibo, who demonstrated PoCs on Windows Server 2022 and Windows Server 2025, while the PoCs are available in a GitHub repository. Defenders are advised to enable Event Tracing for Windows monitoring and to limit the use of SeImpersonatePrivilege to strictly required processes.