PhantomRPC, a newly identified architectural vulnerability in Windows Remote Procedure Call (RPC) that enables local privilege escalation to SYSTEM-level access, potentially affecting every version of Windows.
The research was presented by Kaspersky application security specialist Haidar Kabibo at Black Hat Asia 2026 on April 24 and details five distinct exploitation paths, none of which have received a patch from Microsoft.
PhantomRPC is not a classic memory corruption bug or a logic flaw in a single component. Instead, it exploits an architectural design weakness in how the Windows RPC runtime (rpcrt4.dll) handles connections to unavailable RPC servers.
When a highly privileged process attempts an RPC call to a server that is offline or disabled, the RPC runtime does not verify whether the responding server is legitimate.
This means an attacker who controls a low-privileged process, such as one running under NT AUTHORITY\NETWORK SERVICE, can deploy a malicious RPC server that mimics a legitimate endpoint and intercept those calls.
Source: Cybersecurity News