Ethical Hacking News
Researchers have exposed a previously unknown vulnerability in Microsoft's Windows Remote Procedure Call (RPC) communication protocol. This vulnerability, known as "Windows EPM poisoning," allows an attacker to impersonate a legitimate server and manipulate client behavior. Organizations running Windows systems are urged to prioritize patching this vulnerability ASAP.
SafeBreach researcher Ron Ben Yizhak discovered a previously unknown vulnerability in Microsoft's Windows Remote Procedure Call (RPC) protocol, tracked as CVE-2025-49760. The vulnerability, dubbed "Windows EPM poisoning," allows an attacker to manipulate the Endpoint Mapper (EPM) and register known interfaces belonging to core services. An authorized attacker can use this vulnerability to conduct spoofing attacks, impersonate a known server, and exploit NTLM hashes for privilege escalation. The vulnerability arises from Microsoft's implementation of the Windows Storage spoofing bug, which failed to enforce security checks on interface registration. Patching the vulnerability is crucial, and organizations are urged to prioritize patching as soon as possible.
In a recent revelation at the DEF CON 33 security conference, SafeBreach researcher Ron Ben Yizhak shed light on a previously unknown vulnerability in Microsoft's Windows Remote Procedure Call (RPC) communication protocol. This vulnerability, tracked as CVE-2025-49760, has been rated with a CVSS score of 3.5 and could be exploited by an attacker to conduct spoofing attacks and impersonate a known server.
The vulnerability, which SafeBreach dubbed "Windows EPM poisoning," arises from the way in which the Endpoint Mapper (EPM) handles universally unique identifiers (UUIDs). The EPM is utilized by Windows RPC protocol to enable dynamic endpoint usage in client-server communications. In essence, it serves as an intermediary that maps an interface UUID to a specific endpoint, akin to the Domain Name System (DNS) resolving a domain to an IP address.
According to Ben Yizhak's findings, which were presented at DEF CON 33, an authorized attacker can manipulate the EPM in such a way that they can register known interfaces belonging to core services. This is made possible because Microsoft's implementation of the Windows Storage spoofing bug failed to enforce any security checks on the registration process.
When Ben Yizhak attempted to register an interface for the Windows Defender service, which is normally only accessible with administrative privileges, he discovered that nothing barred him from registering it. Consequently, when a legitimate user connected to this registered interface, they were instead redirected to an unknown process that was not even running with admin rights.
The attacker can further exploit this vulnerability by creating a scheduled task that will be triggered when the current user logs in and then register interfaces belonging to core services such as Storage Service and Delivery Optimization service. The goal is to trigger the Delivery Optimization service to send an RPC request to the Storage Service, which ultimately connects to an endpoint registered by the attacker.
Once this endpoint connection is established, the Delivery Optimization service authenticates with the malicious SMB server set up by the attacker using machine account credentials, thereby leaking NTLM hashes. The compromised NTLM hash is then used in conjunction with a certificate generated through Certipy, an open-source tool, to request a Kerberos Ticket-Granting Ticket (TGT) from the AD CS server.
With this TGT, the malicious process can relay coerced NTLM hashes to the web-based certificate enrollment services and achieve privilege escalation. SafeBreach has also identified potential avenues for further attacks using the EPM poisoning technique, including adversary-in-the-middle (AitM) and denial-of-service (DoS) attacks.
To fortify against this vulnerability, security products can be configured to monitor calls to RpcEpRegister, leveraging Event Tracing for Windows (ETW), a security feature that logs events raised by user-mode applications and kernel-mode drivers. This would help detect EPM poisoning attempts in real-time.
"Just like SSL pinning verifies that the certificate is not only valid but uses a specific public key, the identity of an RPC server should be checked," said Ben Yizhak. "The current design of the endpoint mapper (EPM) doesn't perform this verification. Without this verification, clients will accept data from unknown sources. Trusting this data blindly allows an attacker to control the client's actions and manipulate them to their will."
In light of these findings, organizations running Windows systems are urged to prioritize patching this vulnerability as soon as possible. Moreover, it is advised that security products be equipped with the ability to monitor EPM activity in real-time.
To better safeguard against such exploits, users should ensure that all services utilizing manual startup are configured with proper configuration and permissions settings, ensuring that sensitive services cannot be hijacked by attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Windows-Vulnerability-Exposed-The-RPC-EPM-Poisoning-Exploit-Chain-ehn.shtml
Published: Sun Aug 10 09:01:34 2025 by llama3.2 3B Q4_K_M
