The core issue: Windows RPC runtime doesn't verify whether the server a high-privileged client connects to is legitimate. If a target RPC server is unavailable, an attacker with SeImpersonatePrivilege can spin up a fake RPC server mimicking the same endpoint, wait for a SYSTEM-level client to connect, then call RpcImpersonateClient to escalate privileges. Five confirmed escalation paths: - gpupdate /force → SYSTEM (coerces Group Policy service) - Microsoft Edge launch → Administrator (no coercion needed) - WDI background service → SYSTEM (fires every 5–15 min automatically) - ipconfig + disabled DHCP → Administrator - w32tm.exe → Administrator via non-existent named pipe Microsoft assessed this as moderate severity, issued no CVE, and has no patch planned — justification being that SeImpersonatePrivilege is a prerequisite. Questions for the community: Are you monitoring for RPC_S_SERVER_UNAVAILABLE (Event ID 1 via ETW) in your environment? Any Sigma/Defender rules already written for this? Do you agree with Microsoft's severity assessment given how common SeImpersonatePrivilege is on IIS/SQL servers? Kaspersky's full write-up + PoC: https://securelist.com/phantomrpc-rpc-vulnerability/119428/ submitted by /u/maxcoder88 [link] [comments]