ACCORDING to Kaspersky, a vulnerability in the Windows Remote Procedure Call (RPC) mechanism allows attackers to elevate privileges to System by impersonating the target service with a fake RPC server. The flaw, named PhantomRPC by Haidar Kabibo, could affect all Windows versions and exploits the ability of processes to impersonate others and the RPC runtime’s lack of verification for RPC servers.
To exploit PhantomRPC, an attacker must compromise a privileged service, deploy a counterfeit RPC server, listen for specific requests, and impersonate the targeted service to achieve escalation. The researchers describe multiple exploitation paths, including abusing a Network Service account, and separate routes involving the DHCP Client service and the Windows Time service, with scenarios where impersonation occurs during legitimate RPC interactions.
SecurityWeek notes that Microsoft classed the issue as moderate-severity and said it does not require immediate remediation; Kaspersky reported the issue in September 2025, and SecurityWeek has reached out for comment. The article was written by Ionut Arghire and published on 28 April 2026.