By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation
Computing

Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation

News Room
Last updated: 2025/08/10 at 9:24 AM
News Room Published 10 August 2025
Share
SHARE

Aug 10, 2025Ravie LakshmananVulnerability / Endpoint Security

Cybersecurity researchers have presented new findings related to a now-patched security issue in Microsoft’s Windows Remote Procedure Call (RPC) communication protocol that could be abused by an attacker to conduct spoofing attacks and impersonate a known server.

The vulnerability, tracked as CVE-2025-49760 (CVSS score: 3.5), has been described by the tech giant as a Windows Storage spoofing bug. It was fixed in July 2025 as part of its monthly Patch Tuesday update. Details of the security defect were shared by SafeBreach researcher Ron Ben Yizhak at the DEF CON 33 security conference this week.

“External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network,” the company said in an advisory released last month.

The Windows RPC protocol utilizes universally unique identifiers (UUIDs) and an Endpoint Mapper (EPM) to enable the use of dynamic endpoints in client-server communications, and connect an RPC client to an endpoint registered by a server.

The vulnerability essentially makes it possible to manipulate a core component of the RPC protocol and stage what’s called an EPM poisoning attack that allows unprivileged users to pose as a legitimate, built-in service with the goal of coercing a protected process to authenticate against an arbitrary server of an attacker’s choosing.

Given that the functioning of EPM is analogous to that of the Domain Name System (DNS) – it maps an interface UUID to an endpoint, just the DNS resolves a domain to an IP address – the attack plays out like DNS poisoning, in which a threat actor tampers with DNS data to redirect users to malicious websites –

  • Poison the EPM
  • Masquerade as a legitimate RPC Server
  • Manipulate RPC clients
  • Achieve local/domain privilege escalation via an ESC8 attack

“I was shocked to discover that nothing stopped me from registering known, built-in interfaces that belong to core services,” Ben Yizhak said in a report shared with The Hacker News. “I expected, for example, if Windows Defender had a unique identifier, no other process would be able to register it. But that was not the case.”

Cybersecurity

“When I tried registering an interface of a service that was turned off, its client connected to me instead. This finding was unbelievable—there were no security checks completed by the EPM. It connected clients to an unknown process that wasn’t even running with admin privileges.”

The crux of the attack hinges on finding interfaces that aren’t mapped to an endpoint, as well as those that could be registered right after the system boots by taking advantage of the fact that many services are set to “delayed start” for performance reasons, and make the boot process faster.

In other words, any service with a manual startup is a security risk, as the RPC interface wouldn’t be registered on boot, effectively making it susceptible to a hijack by allowing an attacker to register an interface before the original service does.

SafeBreach has also released a tool called RPC-Racer that can be used to flag insecure RPC services (e.g., the Storage Service or StorSvc.dll) and manipulate a Protected Process Light (PPL) process (e.g., the Delivery Optimization service or DoSvc.dll) to authenticate the machine account against any server selected by the attacker.

The PPL technology ensures that the operating system only loads trusted services and processes, and safeguards running processes from termination or infection by malicious code. It was introduced by Microsoft with the release of Windows 8.1.

At a high level, the entire attack sequence is as follows –

  • Create a scheduled task that will be executed when the current user logs in.
  • Register the interface of the Storage Service
  • Trigger the Delivery Optimization service to send an RPC request to the Storage Service, resulting in it connecting to the attacker’s dynamic endpoint
  • Call the method GetStorageDeviceInfo(), which causes the Delivery Optimization service to receive an SMB share to a rogue server set up by the attacker
  • The Delivery Optimization service authenticates with the malicious SMB server with the machine account credentials, leaking the NTLM hash
  • Stage an ESC8 attack to relay the coerced NTLM hashes to the web-based certificate enrollment services (AD CS) and achieve privilege escalation
Identity Security Risk Assessment

To accomplish this, an offensive open-source tool like Certipy can be used to request a Kerberos Ticket-Granting Ticket (TGT) using the certificate generated by passing the NTLM information to the AD CS server, and then leverage it to dump all secrets from the domain controller.

SafeBreach said the EPM poisoning technique could be further expanded to conduct adversary-in-the-middle (AitM) and denial-of-service (DoS) attacks by forwarding the requests to the original service or registering many interfaces and denying the requests, respectively. The cybersecurity company also pointed out that there could be other clients and interfaces that are likely vulnerable to EPM poisoning.

To better detect these kinds of attacks, security products can monitor calls to RpcEpRegister and use Event Tracing for Windows (ETW), a security feature that logs events that are raised by user-mode applications and kernel-mode drivers.

“Just like SSL pinning verifies that the certificate is not only valid but uses a specific public key, the identity of an RPC server should be checked,” Ben Yizhak said.

“The current design of the endpoint mapper (EPM) doesn’t perform this verification. Without this verification, clients will accept data from unknown sources. Trusting this data blindly allows an attacker to control the client’s actions and manipulate it to the attacker’s will.”

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article The Best Hearing Aids for Seniors
Next Article Watch Community Shield Soccer: Livestream Liverpool vs. Crystal Palace From Anywhere
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

Law Professor: Let Bereaved Families Delete Data To Stop AI ‘Digital Resurrection’
News
We found stuff AI is pretty good at
News
How to watch OpenAI’s GPT-5 announcement livestream today (updated)
News
Can an AI chatbot of Dr Karl change climate sceptics’ minds? He’s willing to give it a try
News

You Might also Like

Computing

Week in Review: Most popular stories on GeekWire for the week of Aug. 3, 2025

3 Min Read
Computing

Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models

4 Min Read
Computing

Debian 14 Eyes LoongArch CPU Support

2 Min Read
Computing

3 Ways to Easily Visualize Keras Machine Learning Models | HackerNoon

11 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?