PhantomRPC: Architectural Windows Flaw Allows Local Privilege Escalation

An architectural vulnerability in the Windows Remote Procedure Call (RPC) runtime, named PhantomRPC, reportedly allows attackers to gain SYSTEM-level access across all versions of the operating system. Research presented at Black Hat Asia 2026 reveals that the flaw exists in how rpcrt4.dll handles connections to unavailable servers. Microsoft has not assigned a CVE or a formal CVSS score for this issue, and they classified the risk as moderate and have no current plans to release a patch.

PhantomRPC turns standard service accounts, like Network Service and Local Service, into gateways for full system compromise. Since these accounts often hold impersonation privileges by default, an attacker who gains a foothold in a web server or local service can move laterally to take over the entire Windows host. The vulnerability exploits the core design of Windows interprocess communication, not a coding error.

Vulnerabilities summary:

• PhantomRPC Architectural Flaw (CVSS score TBD), an architectural design weakness in the Windows RPC runtime (rpcrt4.dll) that occurs when the system fails to verify the legitimacy of a responding server for an unavailable endpoint. Attackers with SeImpersonatePrivilege can deploy a malicious RPC server to intercept calls from high-privileged clients like SYSTEM. By calling the RpcImpersonateClient API, the attacker assumes the client's security context, allowing them to run arbitrary code with full system privileges.
• gpupdate.exe and WDI Service Exploitation (CVSS score TBD), A privilege escalation mechanism where the Group Policy Client or Diagnostic System Host attempts to communicate with a disabled Terminal Service. An attacker intercepts these automated RPC calls to escalate from a Network Service account to SYSTEM. This path is particularly dangerous because it requires no user interaction and can be triggered on demand or via background polling.
• Edge Browser and Admin Tool Exploitation (CVSS score TBD), A privilege escalation path where launching Microsoft Edge or running administrative tools like ipconfig.exe triggers RPC requests to unavailable services. Attackers spoofing these endpoints can capture the security tokens of administrators who execute these common commands. This allows an attacker to gain full administrative control over the host machine.

This flaw affects every version of Windows. Successful tests performed on Windows Server 2022 and Windows Server 2025. The research identifies that any process or service using RPC could potentially introduce a new escalation path if it attempts to connect to an unavailable endpoint. Because the issue is architectural, the number of ways to trigger the exploit is virtually unlimited and depends on the specific software and services running on a given system.

Since no official patch exists, defenders must use alternative methods to protect their environments. Organizations should enable ETW-based RPC monitoring to find RPC_S_SERVER_UNAVAILABLE errors linked to high impersonation levels. Administrators can also reduce the attack surface by enabling services like TermService to ensure legitimate endpoints are occupied, and by restricting SeImpersonatePrivilege to only the most necessary processes. Tools for auditing these patterns are available in the PhantomRPC GitHub repository.