Kaspersky exposed a dangerous Windows vulnerability named PhantomRPC at Black Hat Asia 2026. This flaw affects every Windows version, gives system-level access and Microsoft has not yet released a patch assigned a CVE and closed the case.
There a technology within Windows thats so deep and crucial that if its compromised the entire operating system falls into the hands of an attacker and researchers have discovered thats exactly whats happening. Kaspersky has identified PhantomRPC a vulnerability in the Windows Remote Procedure Call architecture that arises from architectural design behavior.
The results of this research were presented at Black Hat Asia 2026, and the companys researchers also confirmed that the issue and enabled by a new local privilege escalation technique isnot caused by a single faulty component, but rather by the entire RPC design.The most disturbing thing is that this was reported to Microsoft they closed the case and there is still no patch.
Windows RPC mechanism has been the backbone of the operating system for decades. RPC can serve as a standalone communication channel or as an underlying transport layer for advanced interprocess communication technologies, and due to its complexity and widespread use and it has historically been a major source of security issues and ranging from local privilege escalation to full remote code execution.
But Fontorps isn’t just a variation of any old non-protrusion attack its a completely new and previously documented attack class.
Fake Server More Powerful Than a Real Server
The PhantomRPC classic memory corruption bug is not a flaw in a single components logic it takes advantage of a weakness in the way Windows RPC runtime rpcrt is built.4.dll handles connections from RPC servers that are offline or turned off.
When a highly privileged process calls an RPC server that does not exist, the RPC runtime does not verify whether the responding server is legitimate. This is a fundamental trust failurethe system assumes that whoever is responding is genuine.
Endpoint spoofing is the first pillar of this attack. The attacker registers a rogue RPC endpoint that shares the same interface UUID with a privileged service. The Endpoint Mapper Manager (EPM) returns the most recently registered endpoint which belongs to the attacker.
Authentication bypass is the second pillar. Many RPC services do not enforce mutual authentication the client assumes that the endpoint provided by the EPM is legitimate without verifying the servers identity.And then the attacker got direct access to the Local Service account. The administrator account can raise privileges without any user interaction or noticeable activity.
Kaspersky reviewed five different exploitation paths that demonstrate how privileges escalate from various local or network service contexts to SYSTEM or other highly privileged accounts. But the real danger is that this issue stems from an architectural weakness potential attack vectors are effectively unlimited. Any new process or service that relies on RPC could become an additional escalation path.
Microsoft Refuses to Patch the Vulnerability
After discovering the vulnerability Kaspersky Security Services created a 10-page technical report and submitted it to the Microsoft Security Response Center. Microsoft responded six days later and classifying the issue as moderate severity, assigning no CVE,offering no bounty and closing the case on October 10, 2025 without further tracking. Microsoft argued that the originating process for the attack must already have the SeImpersonate privilege so it does not require immediate remediation.
But security researchers disagree with this assessment. Microsofts August 2023 patch addresses specific instances not the underlying architectural issue. The endpoint authentication flaw in the RPC infrastructure remains and the design remains fundamentally vulnerable.
The SeeImpersonate privilege is held by many system processes and is also rarely granted to custom or third-party processes which is generally good security practice. This means this privilege is not as rare as Microsoft suggests.
Kaspersky has publicly released all of the research frameworks tools on GitHub. Organizations can use them to audit their environments and see which RPC call patterns make them vulnerable.Defenders need to implement ETW-based monitoring to identify RPC exceptions especially when RPC clients try to connect to unavailable servers.
And SeImpersonate Privilege should be limited to only strictly necessary processes. Granting this privilege to any third-party application is a serious risk that becomes twice as dangerous in the context of PhantomRPC. No patch no CVE but the threat is absolutely real and present on every Windows machine.
