New 'PhantomRPC' bug lets any low-privileged Windows process become SYSTEM - all Windows versions affected, no patch from Microsoft

Kaspersky disclosed PhantomRPC at Black Hat Asia on April 24, an architectural flaw in how Windows handles a core internal communication system called RPC (Remote Procedure Call). When a privileged Windows process tries to talk to an RPC server that isn't running, the operating system doesn't check whether the thing answering is the real one - so a low-privileged attacker can stand up a fake RPC server, intercept the call, and inherit SYSTEM-level access. All Windows versions are affected. Kaspersky demonstrated five different exploitation paths and published the research tools on GitHub. Microsoft has not released a patch.

Check

Treat any unprivileged Windows process as a potential SYSTEM-escalation foothold and tighten EDR rules around suspicious RPC server registrations until Microsoft patches.

Affected

All Windows versions including Windows 10, Windows 11, and Windows Server, plus older builds. Acute risk on multi-user systems, terminal servers, and any host where untrusted code might run as a low-privileged service account such as NETWORK SERVICE - those are the easiest launch points for the technique.

Fix

There is no Microsoft patch yet. Use Kaspersky's public PhantomRPC tooling to audit your environment for exploitable RPC patterns. Tighten EDR detection on processes registering RPC endpoints with privileged-service UUIDs. On terminal servers, limit which low-privileged accounts can run code. Watch Microsoft Security Response Center for updates over the coming weeks.