Cybersecurity researchers have presented new findings related to a now-patched security issue in Microsoft’s Windows Remote Procedure Call (RPC) communication protocol that could be abused by an attacker to conduct spoofing attacks and impersonate a known server.
The vulnerability, tracked as CVE-2025-49760 (CVSS score: 3.5), has been described by the tech giant as a Windows Storage spoofing bug. It was fixed in July 2025 as part of its monthly Patch Tuesday update. Details of the security defect were shared by SafeBreach researcher Ron Ben Yizhak at the DEF CON 33 security conference this week.
“External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network,” the company said in an advisory released last month.
The Windows RPC protocol utilizes universally unique identifiers (UUIDs) and an Endpoint Mapper (EPM) to enable the use of dynamic endpoints in client-server communications, and connect an RPC client to an endpoint registered by a server.
The vulnerability essentially makes it possible to manipulate a core component of the RPC protocol and stage what’s called an EPM poisoning attack that allows unprivileged users to pose as a legitimate, built-in service with the goal of coercing a protected process to authenticate against an arbitrary server of an attacker’s choosing.
Given that the functioning of EPM is analogous to that of the Domain Name System (DNS) – it maps an interface UUID to an endpoint, just the DNS resolves a domain to an IP address – the attack plays out like DNS poisoning, in which a threat actor tampers with DNS data to redirect users to malicious websites –
- Poison the EPM
- Masquerade as a legitimate RPC Server
- Manipulate RPC clients
- Achieve local/domain privilege escalation via an ESC8 attack
“I was shocked to discover that nothing stopped me from registering known, built-in interfaces that belong to core services,” Ben Yizhak said in a report shared with The Hacker News. “I expected, for example, if Windows Defender had a unique identifier, no other process would be able to register it. But that was not the case.”
“When I tried registering an interface of a service that was turned off, its client connected to me instead. This finding was unbelievable—there were no security checks completed by the EPM. It connected clients to an unknown process that wasn’t even running with admin privileges.”
The crux of the attack hinges on finding interfaces that aren’t mapped to an endpoint, as well as those that could be registered right after the system boots by taking advantage of the fact that many services are set to “delayed start” for performance reasons, and make the boot process faster.
In other words, any service with a manual startup is a security risk, as the RPC interface wouldn’t be registered on boot, effectively making it susceptible to a hijack by allowing an attacker to register an interface before the original service does.
SafeBreach has also released a tool called RPC-Racer that can be used to flag insecure RPC services (e.g., the Storage Service or StorSvc.dll) and manipulate a Protected Process Light (PPL) process (e.g., the Delivery Optimization service or DoSvc.dll) to authenticate the machine account against any server selected by the attacker.
The PPL technology ensures that the operating system only loads trusted services and processes, and safeguards running processes from termination or infection by malicious code. It was introduced by Microsoft with the release of Windows 8.1.
At a high level, the entire attack sequence is as follows –
- Create a scheduled task that will be executed when the current user logs in.
- Register the interface of the Storage Service
- Trigger the Delivery Optimization service to send an RPC request to the Storage Service, resulting in it connecting to the attacker’s dynamic endpoint
- Call the method GetStorageDeviceInfo(), which causes the Delivery Optimization service to receive an SMB share to a rogue server set up by the attacker
- The Delivery Optimization service authenticates with the malicious SMB server with the machine account credentials, leaking the NTLM hash
- Stage an ESC8 attack to relay the coerced NTLM hashes to the web-based certificate enrollment services (AD CS) and achieve privilege escalation
To accomplish this, an offensive open-source tool like Certipy can be used to request a Kerberos Ticket-Granting Ticket (TGT) using the certificate generated by passing the NTLM information to the AD CS server, and then leverage it to dump all secrets from the domain controller.
SafeBreach said the EPM poisoning technique could be further expanded to conduct adversary-in-the-middle (AitM) and denial-of-service (DoS) attacks by forwarding the requests to the original service or registering many interfaces and denying the requests, respectively. The cybersecurity company also pointed out that there could be other clients and interfaces that are likely vulnerable to EPM poisoning.
To better detect these kinds of attacks, security products can monitor calls to RpcEpRegister and use Event Tracing for Windows (ETW), a security feature that logs events that are raised by user-mode applications and kernel-mode drivers.
“Just like SSL pinning verifies that the certificate is not only valid but uses a specific public key, the identity of an RPC server should be checked,” Ben Yizhak said.
“The current design of the endpoint mapper (EPM) doesn’t perform this verification. Without this verification, clients will accept data from unknown sources. Trusting this data blindly allows an attacker to control the client’s actions and manipulate it to the attacker’s will.”
About The Author
Original post here
