Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation
What’s new: Researchers have detailed a vulnerability in Microsoft’s Windows Remote Procedure Call (RPC) protocol, tracked as CVE-2025-49760, which allows attackers to conduct EPM poisoning attacks. This can lead to privilege escalation by enabling unprivileged users to impersonate legitimate services and manipulate RPC clients. The vulnerability was patched in July 2025.
Who’s affected
Organizations using Windows systems that rely on the RPC protocol may be affected, particularly those with services set to delayed start or manual startup configurations.
What to do
- Ensure that all Windows systems are updated with the latest security patches from Microsoft.
- Monitor RPC service registrations and calls to RpcEpRegister for unusual activity.
- Implement security measures to verify the identity of RPC servers to prevent unauthorized access.
