A vulnerability in Microsoft Windows’ Remote Procedure Call (RPC) protocol has been discovered that allows attackers to manipulate core system communications and launch sophisticated server spoofing attacks.
The flaw, designated CVE-2025-49760, enables unprivileged users to masquerade as legitimate system services and potentially escalate privileges or steal sensitive credentials.
Security researcher SafeBreach uncovered the vulnerability through a novel “EPM poisoning” technique that exploits weaknesses in Windows’ Endpoint Mapper (EPM), a critical component that connects RPC clients to their intended servers.
The EPM functions similarly to a DNS server, resolving interface identifiers to specific endpoints, but lacks proper verification mechanisms to prevent unauthorized registrations.
The Attack Mechanism
The vulnerability stems from the EPM’s failure to verify whether processes attempting to register RPC interfaces are legitimate services.
Attackers can exploit this by registering known, built-in interfaces before legitimate services start up, effectively hijacking client connections.
This “race condition” attack doesn’t require administrative privileges, making it particularly concerning.
The researcher developed two tools to demonstrate the attack: RPC-Recon, which identifies vulnerable interfaces that register late in the boot process, and RPC-Racer, which executes the actual exploitation.
In testing, the tools successfully forced protected processes, including Windows Update and Delivery Optimization services, to connect to rogue servers controlled by the attacker.
The implications extend far beyond simple service disruption. In one demonstration, researchers successfully manipulated a Protected Process Light (PPL) – among Windows’ most secure process types – to authenticate with attacker-controlled servers.
This forced authentication disclosed the NTLM hash of the machine account, credentials typically reserved for system-level operations.
The attack becomes particularly dangerous in Active Directory environments. By combining the RPC exploitation with certificate-based attacks like ESC8, attackers could potentially escalate from low-privileged users to domain controllers, ultimately compromising entire network infrastructures.
Microsoft addressed the vulnerability with a patch released on July 8, 2025, after being notified in March.
The fix specifically targets the Storage Service RPC client by implementing security Quality of Service (QOS) controls that verify server identity before establishing connections.
However, the patch addresses only one vulnerable interface. Security experts warn that numerous other RPC clients and interfaces likely remain susceptible to similar EPM poisoning attacks, requiring ongoing vigilance and additional security measures.
Organizations can implement several detection strategies, including monitoring RpcEpRegister API calls for unauthorized interface registrations and analyzing Windows Event Tracing logs for suspicious RPC activity patterns.
The Microsoft-Windows-RPC provider generates detailed events that can help identify when unknown processes receive connections on known interfaces.
This discovery highlights fundamental design weaknesses in Windows’ inter-process communication architecture and underscores the need for enhanced verification mechanisms in critical system protocols.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
