"This technique enables processes with impersonation privileges to elevate their permissions to SYSTEM level," wrote Kaspersky Security Services in a technical report released alongside proof‑of‑concept code.
ALPC, MSRPC and impersonation: the technical kernel
The vulnerability described by Kaspersky rests on Windows' Remote Procedure Call stack, specifically when MSRPC uses ALPC (Advanced Local Procedure Call) as a transport. An RPC client constructs a request that includes an interface UUID, a protocol sequence and an endpoint; when the transport is ALPC the endpoint behaves like a message channel. Crucially, RPC requests include Security Quality of Service (SQOS) parameters that declare an impersonation level. Servers that hold SeImpersonatePrivilege can call RpcImpersonateClient to assume the caller's security context.
Kaspersky's analysis found that the RPC runtime (rpcrt4.dll) does not validate that an RPC server presenting a given endpoint is the legitimate intended process. Windows allows another process to deploy an RPC server that exposes the same endpoint name; if the client connects with a high impersonation level, the fake server can call RpcImpersonateClient and inherit the caller's privileges.
Group Policy client and TermService: a coercion path
Kaspersky documented a concrete, reproducible path that leverages how the Group Policy Client service (gpsvc) calls the Remote Desktop service (TermService). When gpupdate.exe /force is invoked, gpsvc issues an RPC to TermService with the UUID bde95fdf-eee0-45de-9e12-e5a61cd0d4fe, endpoint ncalrpc:[TermSrvApi], and function void Proc8(int). Because TermService is commonly disabled by default, the call fails with RPC_S_SERVER_UNAVAILABLE (0x800706BA, 1722).
Tracing shows the failure stems from NtAlpcConnectPort: the call includes a PortAttributes structure carrying SQOS data and a RequiredServerSid indicating the expected Network Service identity. If an attacker controls any process running as Network Service and deploys a malicious RPC server that mimics TermService's interface and endpoint, gpsvc can be coerced into connecting. The malicious server then calls RpcImpersonateClient and can escalate from Network Service to SYSTEM; Kaspersky's proof‑of‑concept spawns a SYSTEM-level command prompt to demonstrate this path.
Edge, WDI, DHCP and W32Time: four additional escalation routes
The report outlines four other vectors that use the same architectural weakness:
- msedge.exe to TermService: Microsoft Edge makes an RPC call to TermService at startup with a high impersonation level. When TermService is disabled, an attacker running under Network Service who exposes the TermSrvApi endpoint can impersonate a launching administrator and escalate to Administrator.
- WdiSystemHost (Diagnostic System Host): This service runs under SYSTEM and periodically (every 5–15 minutes) invokes RPC calls to TermService with a high impersonation level. A malicious server that mimics TermService lets an attacker escalate directly to SYSTEM without user interaction.
- DHCP Client interactions: The DHCP Client service runs as Local Service and exposes RPC interfaces that client DLLs call with high impersonation. If DHCP Client is disabled, an attacker controlling a Local Service process can present the expected interface and endpoint, then impersonate an administrative ipconfig invocation to reach Administrator.
- Windows Time (W32Time) and a nonexistent pipe: W32Time exposes endpoints \\PIPE\\W32TIME_ALT and \\RPC Control\\W32TIME_ALT, but w32tm.exe first attempts to connect to a nonexistent \\PIPE\\W32TIME. An attacker who exposes \\PIPE\\W32TIME with the W32Time interface can receive the connection and impersonate the caller; because w32tm.exe attempts the nonexistent pipe first, the legitimate service need not be disabled.
How Kaspersky found and instrumented the behavior
To discover clients calling unavailable servers, Kaspersky built an ETW (Event Tracing for Windows) workflow. They collected RPC events with logman, converted .etl traces to JSON (using tools such as etw2json), and programmatically correlated Event ID 1 (RPC stop) with Event ID 5 (RPC start) to recover status codes, interface UUIDs, OPNUM, impersonation level, client process identity, and endpoint names.
The filtering focused on RPC_S_SERVER_UNAVAILABLE events originating from high‑privileged processes and using high impersonation levels. Kaspersky then enriched the dataset by matching UUIDs against an RPC database to locate the DLL implementing the interface and the number of procedures it presents. The research repository accompanying the report contains the tools used for this framework.
Kaspersky disclosure and Microsoft's assessment
Kaspersky Security Services submitted a 10‑page technical report to the Microsoft Security Response Center on 2025‑09‑19 (Case 101749). Microsoft replied on 2025‑10‑10, classifying the issue as moderate severity, declining a bounty, not issuing a CVE, and closing the case without further tracking. Microsoft’s stated rationale was that the originating process must already possess SeImpersonatePrivilege for the attack to succeed. Kaspersky respected the coordinated disclosure embargo and scheduled public release for 2026‑04‑24.
What this means for technologists, administrators, and defenders
- Technologists and security teams: Review processes and services granted SeImpersonatePrivilege; reduce that privilege in custom or nonessential processes where possible. Use the ETW tooling Kaspersky published to inventory RPC clients that report RPC_S_SERVER_UNAVAILABLE with high impersonation levels.
- Administrators and ops: Where legitimate RPC servers are expected but not running, consider enabling those services (for example TermService or DHCP Client) to deny attackers the opportunity to impersonate endpoints, or otherwise harden service start/endpoint exposure.
- Defenders and incident responders: Monitor ETW-derived events that show high‑privilege clients attempting RPC connections to unavailable servers; such events are the specific indicators Kaspersky used to find exploitable paths.
All proof‑of‑concept exploits in Kaspersky’s report were tested on Windows Server 2022 and Windows Server 2025 with the latest updates available before submission. Because the root cause is architectural, Kaspersky warns the attack surface is broad and may yield further escalation paths as different DLLs and services invoke RPC.
