Fast Facts

• The flaw (CVE-2025-49760) affected Microsoft’s Windows Remote Procedure Call (RPC) protocol and was patched in July 2025.
• Attackers could impersonate legitimate servers, hijacking trusted connections and harvesting sensitive credentials.
• No administrator rights were needed - unprivileged users could exploit the vulnerability using a tool called RPC-Racer.
• The exploit enabled privilege escalation attacks, including theft of domain-wide secrets via Active Directory Certificate Services.
• SafeBreach disclosed the issue at DEF CON 33, warning of risks spanning from targeted espionage to widespread disruption.

When Trust Becomes a Trap: The RPC Poisoning Saga

Imagine the digital highways inside a modern business: data, credentials, and commands whizzing between computers, all trusting they’re talking to the right destination. In 2025, researchers from SafeBreach discovered a hidden detour - a flaw in the Windows Remote Procedure Call (RPC) protocol - that let attackers reroute this traffic, impersonate trusted servers, and quietly seize the keys to the kingdom.

RPC is a backbone protocol in Windows, used by countless services to coordinate work across networks. At its heart is the Endpoint Mapper (EPM), a kind of switchboard that connects clients to the right server using unique IDs (UUIDs). The flaw, CVE-2025-49760, allowed attackers to “poison” this switchboard. By racing to register a fake interface before the real service came online, attackers could trick the system into sending sensitive authentication data to a server they controlled - no admin password required.

From Discovery to Exploitation: The Mechanics of Digital Masquerade

SafeBreach’s Ron Ben Yizak showcased the attack at DEF CON 33, demonstrating how a tool dubbed RPC-Racer could scan for vulnerable services and hijack their connections. The attacker would set up a fake server, intercept authentication requests, and capture hashed credentials (NTLM hashes) from high-privilege processes. With these, they could pull off an advanced attack known as ESC8, leveraging Microsoft’s Active Directory Certificate Services to forge digital identities and gain sweeping access across an organization.

What makes this attack especially chilling is its simplicity: any user with network access could lay the trap, and the poisoned EPM would unwittingly guide privileged processes - like Delivery Optimization - straight into it. In some cases, attackers could even orchestrate man-in-the-middle attacks or denial-of-service by overwhelming the mapping service with bogus registrations.

History Repeats: Spoofing, Trust, and the Ever-Evolving Threat

This isn’t the first time Windows protocols have been tripped up by trust gone wrong. Earlier attacks like DNS spoofing and SMB relay exploited similar weaknesses - where systems assumed the identity of servers without rigorous checks. What sets the RPC poisoning attack apart is its stealth and reach: it targets the very mechanism meant to keep communications orderly, subverting it from within.

Experts warn that as organizations increasingly rely on interconnected Windows services, such vulnerabilities become high-value targets for cybercriminals and state-backed actors. The potential for credential theft, lateral movement, and even ransomware deployment is immense - especially in sectors like finance, healthcare, and government, where Windows infrastructure is ubiquitous.

Lessons in Digital Vigilance

Microsoft’s July 2025 patch closed this particular loophole, but the episode is a stark reminder: in the world of digital trust, even the most familiar protocols can become double agents. Continuous monitoring, verifying the identity of critical services, and keeping systems patched are now more essential than ever. As attackers become more creative, defenders must learn to question every handshake - even those that seem routine.

WIKICROOK

• Remote Procedure Call (RPC): Remote Procedure Call (RPC) is a protocol that lets programs on different computers communicate and request services as if on the same machine.
• Endpoint Mapper (EPM): Endpoint Mapper (EPM) is a Windows service that directs client requests to the correct server by mapping unique service IDs to network addresses.
• Spoofing: Spoofing is a technique where attackers send fake data, like GPS signals or emails, to trick receivers or users into accepting false information.
• NTLM Hash: An NTLM hash is an encrypted version of a Windows password used for authentication; if compromised, it can let attackers impersonate users.
• Privilege Escalation: Privilege escalation occurs when an attacker gains higher-level access, moving from a regular user account to administrator privileges on a system or network.