Windows RPC EPM vulnerability patch released

Researchers describe a patched Windows RPC flaw that can enable spoofing, hash theft and privilege escalation.

Windows RPC poisoning opens path to domain privilege escalation

Researchers have outlined how a patched Windows Remote Procedure Call (RPC) flaw could be abused to spoof a built in server and impersonate trusted services. Tracked as CVE-2025-49760, the vulnerability was fixed in July 2025 as part of Microsoft’s Patch Tuesday updates. Microsoft labels it a Windows Storage spoofing bug that affects the Endpoint Mapper, which maps an RPC client to a server endpoint. By manipulating how an interface is registered, an attacker can perform an EPM poisoning attack that lets an unprivileged user pose as a legitimate service and cause a protected process to authenticate to a server chosen by the attacker.

In practical terms, the attack chain begins with a scheduled task that runs on user login, followed by registering the Storage Service interface. The attacker then forces the Delivery Optimization service to contact the attacker’s dynamic endpoint and, in turn, prompts the service to receive an SMB share from a rogue server. This exchange can leak the machine account NTLM hash, enabling an ESC8 privilege escalation path toward domain controllers via tools like Certipy. SafeBreach also released RPC-Racer to flag insecure RPC services and warns that the EPM could be extended to adversary in the middle and denial of service scenarios by registering multiple interfaces. Security teams are urged to monitor RpcEpRegister calls and enable ETW tracing to detect suspicious mappings.

The finding has rekindled a broader discussion about how much the Windows security model relies on trust in internal components. It also highlights the gap between patch release and practical protection in large organizations that run mixed environments and delayed-start services that may leave interfaces unregistered at boot.

The episode shows a real risk in core OS components that assume trust inside a corporate network. When identity checks for RPC servers are weak, attackers can rewrite how endpoints are discovered and connected, turning trusted processes into unwitting pawns. The emphasis on defense in depth matters now more than ever, particularly as enterprises juggle patch fatigue and complex service dependencies. The case also underscores why tools that reveal misregistrations and unusual RPC activity should become standard, not optional.

Beyond the technical details, the incident raises questions about patch cadence, asset inventory and the need for zero trust thinking inside data centers. It is a reminder that even well defended systems can rely on fragile routines such as delayed starts, which create blind spots that attackers can exploit. The bottom line is simple: better visibility and stronger identity checks for internal services are no longer optional.

Highlights

Patching fixes the vulnerability, but resilience depends on how quickly organizations translate fixes into stronger internal controls.