Microsoft is currently grappling with a significant security vulnerability that affects its Windows operating system, known as PhantomRPC. This flaw, which allows for privilege escalation, has raised eyebrows among cybersecurity experts, particularly due to the company’s delayed response in issuing a patch. Haidar Kabibo, a researcher at Kaspersky, has highlighted the potential severity of this vulnerability, stating that “the number of potential attack vectors is effectively unlimited.”
The Windows PhantomRPC Vulnerability And Why Isn’t It Patched Yet
The challenge facing Microsoft is not new; the company is often inundated with security vulnerabilities that require prompt attention. While it generally manages to address these issues effectively, there are instances where the response appears lackluster. This was evident when a researcher recently disclosed a zero-day vulnerability out of frustration. The PhantomRPC vulnerability, which resides within the Windows Remote Procedure Call (RPC) architecture, has similarly left many in the cybersecurity community puzzled by the absence of a timely patch.
According to Kabibo, the PhantomRPC vulnerability allows processes with impersonation privileges to elevate their permissions to SYSTEM level. The RPC technology facilitates communication between processes, enabling one to invoke functions from another. In his report, Kabibo identified five distinct paths for exploitation, which necessitate user interaction, coercion, or compromise of background services. However, the architectural nature of this vulnerability means that the potential attack vectors are virtually limitless.
After disclosing the technical details to Microsoft in September 2025, expectations for a swift patch were high. Instead, Kabibo reported that Microsoft categorized the vulnerability as only moderately severe in October, deeming it ineligible for a bug bounty and not warranting an official Common Vulnerabilities and Exposures (CVE) listing. Alarmingly, Kabibo noted that Microsoft closed the case without any further tracking.
A Microsoft spokesperson responded by stating, “This technique requires an already-compromised machine and does not grant unauthenticated or remote access. Any update is a balance between existing compatibility and customer risk, and we remain committed to continually hardening our products. We recommend customers follow security best practices, including limiting administrative privileges and applying the principle of least privilege.”
However, this response has not satisfied all experts. Damon Small, a board member at Xcape, Inc., expressed disbelief at Microsoft’s lack of action, describing it as a bold strategy. He remarked, “You have to be halfway into the house before you can use it to unlock the safe.” Small acknowledged that while Microsoft’s decision not to patch could be defensible under their traditional servicing criteria, it is operationally negligent in a landscape where attackers often exploit compromised service accounts as a foothold.
Jason Soroko, a senior fellow at Sectigo, echoed these concerns, stating, “By categorizing an architectural vulnerability as an acceptable risk, the vendor introduces a continuous cognitive tax on technical leaders who must navigate and mitigate incomplete structural fixes.” This perspective suggests that Microsoft’s stance places the onus on users to manage risks once certain defenses have been breached.
In light of the absence of a patch, Shane Barney, chief information security officer at Keeper Security, emphasized the importance of focusing on access control and environmental hygiene. He advised, “Enforcing least privilege, removing standing administrative rights, and implementing just-in-time access all narrow the window.” Additionally, he stressed the need for auditing active services and ensuring that legitimate RPC servers are accounted for, as this vulnerability exploits a gap that should not exist. For businesses utilizing Windows, Barney concluded, “Reducing that gap is the most direct mitigation available right now.”
