Cybersecurity researchers have revealed a significant flaw in Microsoft’s Windows Remote Procedure Call (RPC) protocol, which could be exploited by attackers to conduct spoofing attacks. The vulnerability, assigned CVE-2025-49760 and rated with a CVSS score of 3.5, was categorized as a Windows Storage spoofing bug and was patched in July 2025 during the monthly Patch Tuesday update. Ron Ben Yizhak from SafeBreach shared the findings at the DEF CON 33 security conference.
The vulnerability arises from how external control of file names or paths in Windows Storage allows an unauthorized attacker to spoof a server over a network. The Windows RPC protocol uses universally unique identifiers (UUIDs) and an Endpoint Mapper (EPM) to link clients with registered server endpoints. By manipulating this core component, an attacker can carry out an EPM poisoning attack, misleading a protected process into authenticating against a server of the attacker’s choice.
The EPM’s operation is similar to the Domain Name System (DNS), which resolves domain names to IP addresses. In this instance, an attacker can poison the EPM, masquerade as a legitimate RPC server, manipulate RPC clients, and potentially escalate privileges through a known attack vector.
Ben Yizhak expressed surprise at the lack of preventive measures, stating that he could register built-in services without restriction, connecting clients to unauthorized processes, including those that weren’t even active. The success of such attacks relies on timing—specifically being able to register interfaces before legitimate services do.
SafeBreach introduced a tool named RPC-Racer to identify insecure RPC services, highlighting the risk of using dynamic RPC services that aren’t well-protected. An advanced attack process could involve creating a scheduled task upon user login that connects the Delivery Optimization service to the attacker’s endpoint, leading to credential theft.
Furthermore, the methods discussed could be adapted to perform more severe attacks such as adversary-in-the-middle (AitM) or denial-of-service (DoS) attacks by manipulating requests sent to legitimate services.
To mitigate the risk posed by EPM poisoning, it’s recommended that security tools monitor RPC registrations and employ logging features available in Windows. Ben Yizhak argued for better verification mechanisms to ensure that RPC clients trust only legitimate data sources, emphasizing the critical need for improved security designs in widely used protocols like Windows RPC.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.