What’s new: Researchers have detailed a vulnerability in Microsoft’s Windows Remote Procedure Call (RPC) protocol, tracked as CVE-2025-49760, which allows attackers to perform EPM poisoning attacks. This can enable unprivileged users to impersonate legitimate services, leading to domain privilege escalation. The vulnerability was patched in July 2025.
Who’s affected
Organizations using Microsoft Windows systems that rely on the RPC protocol may be affected, particularly those with services set to delayed start, which could be exploited by attackers to register interfaces before legitimate services do.
What to do
- Ensure all systems are updated with the latest security patches from Microsoft.
- Monitor RPC service registrations and calls to RpcEpRegister for unusual activity.
- Implement security measures to verify the identity of RPC servers to prevent unauthorized access.
