Exploit Chain for Windows EPM Poisoning: A Researcher’s Guide to Achieving Domain Privilege Escalation

ByAdmin

Cybersecurity researchers have unveiled critical findings regarding a now-patched security vulnerability in Microsoft’s Windows Remote Procedure Call (RPC) communication protocol. This vulnerability, tracked as CVE-2025-49760 with a CVSS score of 3.5, has been identified as a Windows Storage spoofing bug. It was addressed in July 2025 during Microsoft’s monthly Patch Tuesday update. SafeBreach researcher Ron Ben Yizhak presented the details of this security defect at the DEF CON 33 security conference. The advisory released by Microsoft indicated that “external control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network.” The vulnerability enables attackers to manipulate a core component of the RPC protocol, facilitating EPM poisoning attacks that allow unprivileged users to impersonate legitimate services and coerce protected processes into authenticating against arbitrary servers.

The Windows RPC protocol employs universally unique identifiers (UUIDs) and an Endpoint Mapper (EPM) to facilitate dynamic endpoint usage in client-server communications. This functionality is akin to the Domain Name System (DNS), which maps domain names to IP addresses. The attack resembles DNS poisoning, where threat actors tamper with DNS data to redirect users to malicious sites. Ben Yizhak expressed astonishment at the lack of security checks within the EPM, stating that he could register known, built-in interfaces belonging to core services without restriction. He noted that when attempting to register an interface of a service that was turned off, its client connected to him instead. This vulnerability highlights the risks associated with services set to “delayed start,” as attackers can register interfaces before the original services do, making them susceptible to hijacking. SafeBreach has also released a tool to further investigate this vulnerability. 

Categories: Vulnerability Disclosure, Remote Procedure Call Security, Spoofing Attacks 

Tags: Cybersecurity, Microsoft, Windows, Remote Procedure Call, Vulnerability, Spoofing, Endpoint Mapper, EPM Poisoning, Privilege Escalation, Patch Tuesday 

Leave a Reply

Your email address will not be published. Required fields are marked *