PhantomRPC is a newly discovered vulnerability in the Windows Remote Procedure Call (RPC) system that presents a significant risk for local privilege escalation to SYSTEM-level access. This vulnerability affects all Windows versions and was unveiled by Kaspersky's application security expert, Haidar Kabibo, at Black Hat Asia 2026. The research highlights five separate exploitation methods, none of which have been addressed with a patch by Microsoft.

Unlike typical memory corruption or single-component logic flaws, PhantomRPC exploits a design weakness in the Windows RPC runtime, specifically in the rpcrt4.dll file's handling of connections to unavailable RPC servers. When a privileged process attempts to connect to a non-responsive server, the system fails to authenticate the legitimacy of the responding server. This oversight allows attackers who control low-privileged processes to create malicious RPC servers that impersonate legitimate endpoints.

The vulnerability hinges on the RpcImpersonateClient API. When a privileged client connects to a fake server at a high impersonation level, the malicious server can exploit this API to adopt the client's security context, thus elevating the attacker's privileges to SYSTEM or Administrator. Five specific attack scenarios have been identified by researchers.

This issue was reported to the Microsoft Security Response Center in September 2025. Microsoft assessed the vulnerability as moderate, citing that the attack requires SeImpersonatePrivilege, which is already held by Network Service and Local Service accounts by default. The case was closed without assigning a CVE or scheduling a fix.

In the absence of an official patch, organizations are advised to take proactive measures. Kaspersky has made available the tools used in their research through the PhantomRPC GitHub repository, which allows companies to audit their systems for potential vulnerabilities related to RPC calls.