Understanding the Recent Windows RPC Vulnerability: What You Need to Know

Introduction to the Vulnerability

Recent findings from cybersecurity experts have shed light on a significant security issue within Microsoft’s Windows Remote Procedure Call (RPC) communication protocol. This vulnerability, known as CVE-2025-49760 and given a CVSS score of 3.5, allows attackers to carry out spoofing attacks and impersonate legitimate servers. Though now patched as part of Microsoft’s July 2025 Patch Tuesday update, its implications are serious and warrant attention.

What Is the Windows RPC Protocol?

The Windows RPC protocol plays a crucial role in client-server communications, utilizing universally unique identifiers (UUIDs) alongside an Endpoint Mapper (EPM). This framework allows an RPC client to connect to endpoints registered by a server, facilitating seamless interaction across networked environments. However, the recent discovery highlights how flaws in this system can be exploited.

How Does the Attack Work?

The vulnerability arises when an attacker manipulates the RPC protocol’s core components, enabling what’s known as an EPM poisoning attack. This operation allows unauthorized users to masquerade as built-in services, convincing protected processes to authenticate against a server chosen by the attacker. The resemblance of this attack to DNS poisoning—where malicious actors redirect users to harmful sites—makes it particularly alarming.

Key Attack Steps

1. Poison the EPM: Attackers can manipulate the Endpoint Mapper, sowing confusion within the network.
2. Masquerade as a Legitimate RPC Server: This enables attackers to present themselves as known services.
3. Manipulate RPC Clients: By posing as trusted entities, they can influence client/server interactions.
4. Privilege Escalation: Using the techniques mentioned, an attacker can achieve local or domain privilege escalation through an ESC8 attack.

Insights from Industry Experts

Researcher Ron Ben Yizhak from SafeBreach disclosed insights during a recent DEF CON 33 conference. He noted, "I was shocked to discover that nothing stopped me from registering known, built-in interfaces for core services." This revelation indicates a lack of security checks within the EPM, exposing the system to manipulation even from non-administrative processes.

Risks Associated with Service Startups

The vulnerability actively exploits services marked for manual startup. Since these services aren’t registered immediately upon system boot, it creates a window of opportunity for attackers to intercept RPC communications. An unregistered interface can be hijacked, allowing the malicious registration to occur before the legitimate service kicks in.

Introducing the RPC-Racer Tool

In response to this vulnerability, SafeBreach has launched a tool named RPC-Racer designed to identify insecure RPC services, such as the Storage Service (StorSvc.dll). This tool can manipulate a Protected Process Light (PPL) process, like the Delivery Optimization service (DoSvc.dll), to authenticate machine accounts against a server of the attacker’s choice.

Understanding Protected Process Light (PPL)

PPL technology, introduced by Microsoft with Windows 8.1, aims to ensure that only authorized services and processes operate within the system. By safeguarding running processes against termination or exposure to malware, it significantly enhances system security.

The Attack Sequence in Detail

The sequence of events during the attack typically proceeds as follows:

1. A scheduled task is created to execute upon user login.
2. The interface for the Storage Service is registered.
3. The Delivery Optimization service sends an RPC request to the Storage Service, inadvertently connecting to the attacker’s endpoint.
4. The attacker then calls the GetStorageDeviceInfo() method, triggering an SMB share connection to a rogue server.
5. The Delivery Optimization service authenticates with the compromised server using machine account credentials, thereby leaking valuable NTLM hashes.
6. Finally, the attacker conducts an ESC8 attack, relaying the coerced NTLM hashes to web-based certificate enrollment services, achieving privilege escalation.

Potential for Further Exploitation

According to SafeBreach, the EPM poisoning technique presents avenues for more complex attacks, including adversary-in-the-middle (AitM) and denial-of-service (DoS) tactics. By forwarding requests to the original services or registering multiple interfaces, an attacker can manipulate interactions or disrupt normal operations.

Enhancing Detection and Prevention

To combat these types of threats, security solutions should monitor calls to the RpcEpRegister function and utilize Event Tracing for Windows (ETW). This security feature logs events generated by both user-mode applications and kernel-mode drivers, providing valuable visibility into system activities.

Ensuring RPC Server Integrity

As Ben Yizhak pointed out, just as SSL pinning confirms that a certificate is valid and tied to a specific public key, verifying the identity of an RPC server is vital. The existing design of the endpoint mapper lacks such verification, leading to vulnerabilities. Without proper checks, clients may accept data from untrusted sources, enabling attackers to manipulate client behavior at will.

Conclusion

The recent discovery regarding Microsoft’s Windows RPC vulnerability underscores the ongoing need for vigilance in cybersecurity. With continually evolving threats, understanding and mitigating these risks is essential for safeguarding sensitive information and maintaining system integrity.