PhantomRPC: New Windows RPC Vulnerability Enables Local Privilege Escalation

Severity: High (Score: 69.0)

Sources: www.amazon.com, Securelist, learn.microsoft.com, Kaspersky, github.com

Summary

Kaspersky has identified a significant vulnerability in the Windows Remote Procedure Call (RPC) architecture, named PhantomRPC, which allows attackers to escalate privileges locally to SYSTEM level. This vulnerability arises from architectural design flaws rather than a single faulty component, affecting all Windows versions. Researchers demonstrated five distinct exploitation paths that can be leveraged in various local or network service contexts. The issue is particularly concerning due to its unlimited potential attack vectors, as any new process or service relying on RPC could introduce additional escalation paths. Despite the severity of the findings, Microsoft has not yet issued a patch. Organizations are advised to implement monitoring and limit the use of impersonation privileges to mitigate risks. The research was presented at Black Hat Asia 2026, highlighting its importance for businesses in assessing their security posture. Key Points: • PhantomRPC allows local privilege escalation to SYSTEM level in all Windows versions. • The vulnerability stems from architectural design flaws in Windows RPC, not a single component. • Microsoft has not issued a patch despite the vulnerability being disclosed.

Key Entities

• Zero-day Exploit (attack_type)
• CWE-269 - Improper Privilege Management (cwe)
• securelist.com (domain)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• T1134 - Access Token Manipulation (mitre_attack)
• Windows (platform)
• Gpupdate.exe (tool)
• PhantomRPC (vulnerability)
• Potato (vulnerability)