Researchers have outlined a Windows EPM poisoning exploit sequence that can result in escalated privileges within a domain.

Cybersecurity researchers have unveiled critical findings regarding a now-patched security vulnerability in Microsoft’s Windows Remote Procedure Call (RPC) communication protocol. This vulnerability, tracked as CVE-2025-49760 with a CVSS score of 3.5, has been identified as a Windows Storage spoofing bug. It was addressed in July 2025 during Microsoft’s monthly Patch Tuesday update. SafeBreach researcher Ron Ben Yizhak presented the details of this security defect at the DEF CON 33 security conference. The advisory released by Microsoft indicated that “external control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network.” The vulnerability enables attackers to manipulate a core component of the RPC protocol, facilitating EPM poisoning attacks that allow unprivileged users to impersonate legitimate services and coerce protected processes into authenticating against arbitrary servers.

The Windows RPC protocol employs universally unique identifiers (UUIDs) and an Endpoint Mapper (EPM) to facilitate dynamic endpoint usage in client-server communications. The EPM functions similarly to the Domain Name System (DNS), mapping interface UUIDs to endpoints, akin to how DNS resolves domains to IP addresses. This vulnerability allows attackers to poison the EPM, masquerading as legitimate RPC servers and manipulating RPC clients. Ben Yizhak expressed astonishment at the lack of security checks within the EPM, stating that he could register known, built-in interfaces belonging to core services without restriction. He noted that when attempting to register an interface of a service that was turned off, its client connected to him instead, revealing a significant security flaw. The attack exploits interfaces not mapped to endpoints and those that can be registered post-boot, highlighting the risks associated with services set to “delayed start.” SafeBreach has also released a tool to further investigate this vulnerability.