Microsoft won’t patch PhantomRPC: Feature or bug?
None
<p>The post <a href="https://www.malwarebytes.com/blog/news/2026/04/microsoft-wont-patch-phantomrpc-feature-or-bug">Microsoft won’t patch PhantomRPC: Feature or bug?</a> appeared first on <a href="https://www.malwarebytes.com/">Malwarebytes</a>.</p><p>A researcher has discovered a weakness called PhantomRPC that <a href="https://www.forbes.com/sites/daveywinder/2026/04/28/unlimited-attack-vectors-all-windows-versions-at-risk-from-new-flaw/" rel="noreferrer noopener nofollow">Microsoft does not consider a vulnerability</a> it plans to patch.</p><p>PhantomRPC involves Windows Remote Procedure Call (RPC), the core of communication between Windows processes. The vulnerability lets a process with impersonation rights escalate to SYSTEM by impersonating high‑privileged clients that connect to a fake RPC server.</p><p>The researcher <a href="https://securelist.com/phantomrpc-rpc-vulnerability/119428/" rel="noreferrer noopener nofollow">presented</a> a detailed technical report outlining <a href="https://www.reddit.com/r/cybersecurity/comments/1sxa29m/kaspersky_recently_disclosed_phantomrpc_a/" rel="noreferrer noopener nofollow">five exploitation paths</a>, including coercion, user interaction, or background services. They warned that potential vectors are “effectively unlimited” because the root issue is architectural.</p><p>Microsoft, however, classified the issue as “moderate,” refused a bounty, declined to assign a CVE (a spot in the list of Common Vulnerabilities and Exposures<strong>)</strong>, and closed the case without tracking. Its position is that the technique requires an already‑compromised machine and does not provide unauthenticated or remote access.</p><p><a href="https://itnerd.blog/2026/04/27/unpatched-windows-phantomrpc-flaw-allows-privilege-escalation/" rel="noreferrer noopener nofollow">Experts disagreed</a> with Microsoft’s assessment. Their concern is that Microsoft is downplaying a systemic local privilege escalation technique that exists in all supported Windows versions.</p><h2 class="wp-block-heading" id="h-the-issue">The issue</h2><p>At the core of this issue is that the Windows RPC runtime does not sufficiently verify that the server a high‑privileged client connects to is the intended legitimate endpoint.</p><p>If a legitimate RPC server is not reachable (for example because the service stopped, was misconfigured, not installed, or due to a <a href="https://portswigger.net/web-security/race-conditions" rel="noreferrer noopener nofollow">race condition</a>), an attacker with <a href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/seimpersonateprivilege-secreateglobalprivilege" rel="noreferrer noopener nofollow">SeImpersonatePrivilege</a> can spin up a fake RPC server that “fills the gap” using the same interface and endpoint.</p><p>When a SYSTEM or high‑privileged client connects to this fake server, using an impersonation level that allows the server to impersonate the client, the attacker can call <a href="https://learn.microsoft.com/en-us/windows/win32/api/rpcdce/nf-rpcdce-rpcimpersonateclient" rel="noreferrer noopener nofollow"><code>RpcImpersonateClient</code></a> and immediately escalate their privileges to SYSTEM.</p><p>From Microsoft’s perspective, the ability to run a rogue RPC server in this way falls under the category of “already compromised.”</p><h2 class="wp-block-heading" id="h-seimpersonateprivilege">SeImpersonatePrivilege</h2><p>To understand the issue better, we need to dig into what SeImpersonatePrivilege does.</p><p>Basically, SeImpersonatePrivilege is the Windows permission that lets a program “pretend to be you” after you’ve already logged in, so it can do things on your behalf using your level of access.</p><p>It’s needed because many system services and server‑type apps (file sharing, RPC servers, COM servers, web apps) have to perform actions on behalf of a user, like reading their files or applying group policy.</p><p>If an attacker gains this privilege, they can create a fake service or server and wait for a more powerful account to talk to it. When that high‑privilege service connects, the attacker can grab its security token and impersonate it, effectively upgrading from an account with lower privileges to full SYSTEM control on that machine.</p><h2 class="wp-block-heading" id="h-protection">Protection</h2><p>A Microsoft spokesperson provided the following statement:</p><blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“This technique requires an already-compromised machine and does not grant unauthenticated or remote access. Any update is a balance between existing compatibility and customer risk, and we remain committed to continually hardening our products. We recommend customers follow security best practices, including limiting administrative privileges and applying the principle of least privilege.”</p> </blockquote><p>In our opinion, mitigating PhantomRPC properly would require deep changes to the RPC architecture, which is hard to do on existing Windows versions without breaking compatibility. It’s maybe something we’ll see in future versions, given the scale of change needed.</p><p>What you can do:</p><ul class="wp-block-list"> <li>As PhantomRPC is a piece in a larger chain, it is still very important to keep Windows updated.</li> <li>Use your admin account sparingly and only for the tasks that need that kind of privilege.</li> <li>Use an up-to-date, <a href="https://www.malwarebytes.com/teams" rel="noreferrer noopener">real-time anti-malware solution</a> that can detect and block suspicious privilege‑escalation activity.</li> <li>Avoid disabling or “hardening” services blindly since a malicious service might step in their place.</li> </ul><p>To answer the question in the title: it looks like a “feature” that can be abused in many ways; one that has outlived its original threat model. Defenders have to treat them as ongoing risks, rather than one‑off CVEs.</p><hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" style="margin-top:var(--wp--preset--spacing--20);margin-bottom:var(--wp--preset--spacing--20)"><div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex"> <div class="wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow" style="flex-basis:10%"> <figure class="wp-block-image aligncenter size-large is-resized"><a href="https://www.cnet.com/tech/services-and-software/malwarebytes-antivirus-review/" rel=" noreferrer noopener"><img decoding="async" loading="lazy" height="1024" width="819" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/04/CNET_Editors_Choice.png?w=819" alt="CNET Editors' Choice Award 2026" class="wp-image-399951" style="aspect-ratio:0.7996482069904676;width:80px;height:auto"></a></figure> </div> <div class="wp-block-column is-layout-flow wp-container-core-column-is-layout-10073889 wp-block-column-is-layout-flow" style="padding-top:var(--wp--preset--spacing--30);padding-bottom:var(--wp--preset--spacing--30);flex-basis:70%"> <h3 class="wp-block-heading has-dark-blue-color has-text-color has-link-color wp-elements-9ec450f733321bc3aafda924702b9312" id="h-one-of-the-nbsp-best-nbsp-cybersecurity-nbsp-suites-on-the-nbsp-planet-nbsp"><strong><strong>“One of the best cybersecurity suites on the planet.”</strong> </strong></h3> <p>According to CNET. <a href="https://www.cnet.com/tech/services-and-software/malwarebytes-antivirus-review/" rel="noreferrer noopener nofollow">Read their review</a> <a href="https://www.malwarebytes.com/premium" rel="noreferrer noopener">→</a></p> </div> <div class="wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow" style="flex-basis:20%"></div> </div><hr class="wp-block-separator aligncenter has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" style="margin-top:var(--wp--preset--spacing--20);margin-bottom:var(--wp--preset--spacing--20)"><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/microsoft-wont-patch-phantomrpc-feature-or-bug/" data-a2a-title="Microsoft won’t patch PhantomRPC: Feature or bug?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmicrosoft-wont-patch-phantomrpc-feature-or-bug%2F&linkname=Microsoft%20won%E2%80%99t%20patch%20PhantomRPC%3A%20Feature%20or%20bug%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmicrosoft-wont-patch-phantomrpc-feature-or-bug%2F&linkname=Microsoft%20won%E2%80%99t%20patch%20PhantomRPC%3A%20Feature%20or%20bug%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmicrosoft-wont-patch-phantomrpc-feature-or-bug%2F&linkname=Microsoft%20won%E2%80%99t%20patch%20PhantomRPC%3A%20Feature%20or%20bug%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmicrosoft-wont-patch-phantomrpc-feature-or-bug%2F&linkname=Microsoft%20won%E2%80%99t%20patch%20PhantomRPC%3A%20Feature%20or%20bug%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmicrosoft-wont-patch-phantomrpc-feature-or-bug%2F&linkname=Microsoft%20won%E2%80%99t%20patch%20PhantomRPC%3A%20Feature%20or%20bug%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.malwarebytes.com/">Malwarebytes</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Malwarebytes">Malwarebytes</a>. Read the original post at: <a href="https://www.malwarebytes.com/blog/news/2026/04/microsoft-wont-patch-phantomrpc-feature-or-bug">https://www.malwarebytes.com/blog/news/2026/04/microsoft-wont-patch-phantomrpc-feature-or-bug</a> </p>