PhantomRPC: Windows RPC vulnerability could enable remote system access, according to Kaspersky

Security firm Kaspersky has announced PhantomRPC, a vulnerability affecting Windows Remote Procedure Call (RPC). Kaspersky said the flaw is not caused by a single bug, but by how Windows operates, enabling attackers to gain system privileges on a device. If a process has impersonation rights, an attacker can use PhantomRPC to obtain full system control.

How PhantomRPC enables privilege escalation

Kaspersky analyzed five exploitation scenarios in which attackers could escalate access from local services or network-connected services to higher privilege levels. In the most severe cases, this could allow attackers to take control of the entire system.

Because the issue is rooted in a design weakness, Kaspersky said it can create “nearly countless” attack vectors. Any new process or service that uses RPC could potentially become an additional entry point for expanding access.

What affects exploitation

Haidar Kabibo, a security applications specialist at Kaspersky, said exploitation details may vary depending on the specific system. Factors include installed software, the dynamic-link libraries involved in RPC communication, and whether the relevant RPC servers are available.

Why RPC matters for Windows security

Kaspersky described RPC as a core mechanism within Windows inter-process communication. It enables processes to communicate and perform functions even when they run in separate environments, and it underpins higher-level communication technologies.

Risk assessment and response planning

Kabibo said the vulnerability is a critical factor in risk assessment and response planning. He noted that the practical impact depends on how RPC is used across the environment and which components are exposed to potential abuse.

Mitigation steps recommended by Kaspersky

Kaspersky recommended that organizations implement measures to detect and mitigate exploitation risk, including:

• Deploying Event Tracing for Windows (ETW) to identify anomalies in RPC activity, particularly connection requests to servers that do not exist or are unavailable.
• Monitoring indicators to detect situations where a legitimate RPC server should be present but is not functioning.
• Narrowing the attack surface by enabling only the appropriate services, helping ensure valid RPC endpoints are always available and limiting opportunities for attackers to deploy fake servers.
• Limiting the use of SeImpersonatePrivilege (impersonation rights) so it is granted only to processes that truly need it. Kaspersky said some system processes rely on this right, but in practice it is sometimes granted to custom applications or third parties, increasing security risk.