Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation

What’s new: Researchers have detailed a vulnerability in Microsoft’s Windows Remote Procedure Call (RPC) protocol, tracked as CVE-2025-49760, which allows attackers to conduct EPM poisoning attacks. This vulnerability enables unprivileged users to impersonate legitimate services and escalate privileges within a domain. The issue was patched in July 2025 during Microsoft’s Patch Tuesday update.

Who’s affected

Organizations using Windows systems that rely on the RPC protocol may be affected, particularly those with services set to delayed start or manual startup configurations, which could be exploited by attackers to register malicious interfaces.

What to do

• Ensure all systems are updated with the latest security patches from Microsoft.
• Monitor RPC service registrations and calls to RpcEpRegister for unusual activity.
• Implement security measures to verify the identity of RPC servers, similar to SSL pinning.
• Consider using tools like SafeBreach’s RPC-Racer to identify insecure RPC services.

Sources

• The Hacker News