Microsoft has failed to patch a security vulnerability affecting Windows users, with the ability to enable privilege escalation, and for which the researcher behind the discovery warned: “the number of potential attack vectors is effectively unlimited.” Here’s what you need to know about the PhantomRPC vulnerability, seated at the heart of the Windows Remote Procedure Call mechanism, and which Kaspersky researcher Haidar Kabibo said is “likely in all Windows versions.”

The Windows PhantomRPC Vulnerability And Why Isn’t It Patched Yet

Microsoft has a heck of a job on its hands when it comes to the sheer number of security vulnerabilities that affect the Windows operating system, of that there is no doubt. On the whole, it does a good job in dealing with them as they are discovered. Sometimes, however, the response to security researchers can be best described as underwhelming, as was the case when one such researcher dropped a zero-day in frustration recently. Now there’s another case that has left some cybersecurity experts confused at the lack of reaction by way of a patch to mitigate a newly discovered vulnerability that impacts the Windows RPC architecture.

Known as PhantomPRC, the vulnerability “enables processes with impersonation privileges to elevate their permissions to SYSTEM level,” Kaspersky’s Kabibo said. RPC is the Windows tech to provide the communication between two processes, enabling one to invoke functions implemented in another. Kabibo has shown five exploitation paths in the published report , requiring coercion, user interaction or background services compromise. But, and here’s the important bit, because the vulnerability itself comes from an architectural weakness, those attack vectors are pretty much unlimited.

Having disclosed all of this in technical detail to Microsoft in September 2025, you might have expected a patch to have arrived by now. But no, Kabibo said that the response in October was to label it only moderately severe, not eligible for a bug bounty of any kind and, not worthy of an official Common Vulnerabilities and Exposures listing . Worse still, Kabibo said, “the case was closed without further tracking” by Microsoft.

A Microsoft spokesperson provided the following statement: “This technique requires an already-compromised machine and does not grant unauthenticated or remote access. Any update is a balance between existing compatibility and customer risk, and we remain committed to continually hardening our products. We recommend customers follow security best practices, including limiting administrative privileges and applying the principle of least privilege."

One cybersecurity expert has been left aghast at Microsoft’s lack of response to the vulnerability report, calling it a bold strategy just because “you have to be halfway into the house before you can use it to unlock the safe.” Damon Small, a board member at Xcape, Inc., went on to add that “Microsoft’s decision not to patch is technically defensible under their traditional servicing criteria - since the attacker already needs SeImpersonatePrivilege - but it is operationally negligent in a landscape where attackers frequently use compromised service accounts as a beachhead.”

And Small is not the only one. “By categorizing an architectural vulnerability as an acceptable risk,” Jason Soroko, a senior fellow at Sectigo, told me, “the vendor introduces a continuous cognitive tax on technical leaders who must navigate and mitigate incomplete structural fixes.” Microsoft’s stance appears to be that if the adversary has already penetrated certain classes of defense, then, frankly, it’s up to the user to deal with it.

Shane Barney, chief information security officer at Keeper Security, said that, in the absence of any patch, the defensive focus has to be on access control and environmental hygiene. “Enforcing least privilege, removing standing administrative rights and implementing just-in-time access all narrow the window,” Barney advised. “Auditing which services are active and ensuring legitimate RPC servers are present and accounted for also matters here, because this attack depends on filling a gap that shouldn't exist.” If you use Windows in your business, Barney concluded, “Reducing that gap is the most direct mitigation available right now.”