Windows RPC Vulnerability CVE-2025-49760 Enables EPM Poisoning and Privilege Escalation Attacks
Cybersecurity experts have revealed fresh details about a now-patched flaw in Microsoft Windows Remote Procedure Call (RPC) that could allow attackers to spoof legitimate services and impersonate trusted servers.
The issue, tracked as CVE-2025-49760 with a CVSS score of 3.5, was described by Microsoft as a Windows Storage spoofing vulnerability. It was fixed in July 2025 Patch Tuesday. The findings were presented by SafeBreach researcher Ron Ben Yizhak at the DEF CON 33 security conference.
“External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network,” Microsoft’s advisory stated.
How Windows RPC and EPM Work
The Windows RPC protocol uses universally unique identifiers (UUIDs) and an Endpoint Mapper (EPM) to handle dynamic endpoints in client-server communication. The EPM maps an interface UUID to a server endpoint, similar to how DNS maps domain names to IP addresses.
The vulnerability enables an EPM poisoning attack, where an unprivileged attacker registers an interface belonging to a legitimate built-in service. This causes RPC clients to unknowingly connect to the attacker’s endpoint instead of the real service.
Attack Analogy: DNS Poisoning for RPC
EPM poisoning works much like DNS spoofing:
- Poison the EPM – Register a fake interface before the legitimate service does.
- Masquerade as a Legitimate RPC Server – Trick clients into connecting to the attacker.
- Manipulate RPC Clients – Force them to send data or authenticate to attacker-controlled servers.
- Escalate Privileges – Use stolen credentials in attacks like ESC8 Active Directory Certificate Services (AD CS) exploitation.
Research Findings
Ben Yizhak discovered that Windows did not prevent registering UUIDs belonging to core services, even if they were turned off or set to delayed start. This means:
- If a service is not running, an attacker can register its interface before it starts.
- Delayed-start services are vulnerable during system boot.
- Manual-start services are particularly at risk.
One example is exploiting the Storage Service (StorSvc.dll) and manipulating the Delivery Optimization Service (DoSvc.dll) to authenticate against a malicious SMB server, leaking NTLM hashes.
Full Attack Chain
- Schedule a Task to trigger when the current user logs in.
- Register the Storage Service Interface before the real service starts.
- Force Delivery Optimization to send an RPC request to the spoofed service.
- Call GetStorageDeviceInfo(), making it connect to an attacker’s SMB share.
- Capture NTLM Hashes from the machine account.
- Perform an ESC8 Attack by relaying these hashes to AD CS to request a Kerberos Ticket-Granting Ticket (TGT).
- Dump Domain Controller Secrets using tools like Certipy.
Additional Threats
SafeBreach noted EPM poisoning could also be used for:
- Adversary-in-the-Middle (AitM) Attacks – Forwarding client requests to legitimate services while intercepting data.
- Denial-of-Service (DoS) – Registering many fake interfaces to block legitimate connections.
Detection and Mitigation
Defenders can detect suspicious activity by:
- Monitoring RpcEpRegister calls.
- Using Event Tracing for Windows (ETW) to log RPC events.
- Implementing RPC server identity verification similar to SSL pinning.
“The Endpoint Mapper doesn’t verify the identity of an RPC server,” Ben Yizhak warned. “Without verification, clients trust unknown sources, giving attackers full control over their actio
