Windows architecture has presented a new surprise, or rather, a new attack surface in an old technology.
Inter-process communication in Windows relies on the RPC (Remote Procedure Call), a complex mechanism where various vulnerabilities have been discovered year after year. Our expert, Khaydar Kabibo, who has long been studying RPC security, has found a new architectural vector for local privilege escalation, and he named it PhantomRPC.
The essence of the technique: an attacker sets up a fake RPC server that responds to client requests with the same UUID/endpoint as the legitimate server, then it calls RpcImpersonateClient, and this enables the server thread to impersonate the security context of the calling client, up to SYSTEM.
The key condition: the attacker’s process has to have SeImpersonatePrivilege (usually available for Network Service or Local Service accounts). In this case, the escalation to SYSTEM or administrator level becomes possible if the legitimate RPC server is unavailable - for example, when the corresponding service is disabled.
This is not a vulnerability of a specific service (like the Potato family), but a consequence of the fact that the RPC runtime does not check the legitimacy of the RPC server and allows another process to register the same endpoint as the legitimate server. In some cases, additional environment conditions are required (for example, the presence of a certain GPO configuration).
All the described paths to privilege escalation have been tested on Windows Server 2022 and Windows Server 2025 with the latest updates available at the time of the study. The author notes that the vulnerability can be exploited on other versions of Windows as well, since it is an architectural issue.
What can be done before a patch appears:
— minimize SeImpersonatePrivilege for non-standard/custom processes (remove it if it is not needed);
— if possible, enable legitimate services based on RPC, so that their RPC endpoints are occupied by legitimate servers;
— enable ETW monitoring of RPC events and track RPC_S_SERVER_UNAVAILABLE errors from high-privilege clients, so you could detect impersonation attempts before its actual execution.
Thus, PhantomRPC opens up a new attack surface in Windows RPC and requires constant attention from administrators and application developers who use this protocol.
More details with code examples and exploitation schemes can be found in the article “PhantomRPC: A new privilege escalation technique in Windows RPC”.
This report has also been included in the program of the Black Hat Asia 2026 conference that took place today in Singapore.
