EPM Poisoning (CVE-2025-49760): Unpacking a Windows RPC Privilege Escalation Threat

A newly disclosed vulnerability in Microsoft's Windows RPC Endpoint Mapper (EPM) – tracked as CVE-2025-49760 – exposes modern Windows environments to credential theft and privilege escalation at the heart of Active Directory compromise. This flaw, uncovered by SafeBreach Labs, is notable not only for its stealth but for its ability to let attackers impersonate core system services, all without needing admin rights.

What Is EPM Poisoning?

Windows RPC relies on the Endpoint Mapper (EPM) to translate unique service IDs (UUIDs) into running service endpoints. Due to lax validation in EPM's registration process, a race condition lets unprivileged processes "win" and register a UUID before the rightful (privileged) service starts. Once won, any RPC traffic for that service is rerouted to the attacker's process. The dynamic closely resembles DNS poisoning, where users are silently redirected to malicious servers.

How The Attack Chain Works

1. Scheduled Execution: The attacker sets up an automated task to run an exploit tool (like SafeBreach's RPC-Racer) at login or system boot.
2. Preemptive Registration: Before delayed-start services (such as Storage Service) launch, the attacker's tool registers their own RPC endpoint under the service's UUID.
3. Hijacking and Redirection: When privileged services (e.g., Delivery Optimization) query EPM, they're directed to the attacker's fake service.
4. Credential Theft: The fake service returns a crafted path (such as an SMB share). When the privileged service tries to authenticate, it exposes machine account NTLM hashes.
5. Active Directory Compromise: Through NTLM relay (ESC8 attack), those credentials allow the attacker to request certificates and eventually retrieve Kerberos TGTs, opening the door to full domain controller access.

Beyond The Demo: Broader Attack Scenarios

• Man-in-the-Middle for RPC: Intercept and alter sensitive communications between trusted Windows services.
• Privilege Escalation via File Operations: Masquerade as privileged file-service RPC endpoints to tamper with protected files.
• Service Impersonation: Steal credentials by posing as components like the Vault Service or Account Sign-In Assistant.
• Lateral Movement: Use hijacked credentials to pivot across hosts in the domain.

Why Is This Even Possible?

EPM simply accepts the first registration for any given UUID, regardless of process legitimacy. This gap is amplified by Windows' use of delayed-start services, giving attackers a consistent window to hijack vital RPC endpoints at every boot.

Mitigation Steps

Microsoft has released a patch for CVE-2025-49760 (July 8, 2025). Organizations should address the risk by:

• Applying the latest security updates to all affected Windows systems (including Windows 10, 11, Server 2016, 2022, 2025).
• Enforcing NTLM relay protections: Enable SMB signing and enforce LDAP channel binding.
• Minimizing exposed attack surface: Disable unnecessary RPC services and audit delayed-start settings.
• Restricting EPM access using RPC security policies for trusted processes only.
• Monitoring endpoint registrations and NTLM authentication for suspicious activity.

Security Takeaway

Despite its low CVSS score (3.5), EPM Poisoning packs high-impact potential for enterprise environments, especially those running Active Directory Certificate Services. The attack is stealthy, exploits race conditions during boot, and can be chained for full domain compromise. Prioritize patching and monitoring to defend against this threat.

References:

• SafeBreach Labs: You Snooze, You Lose: Winning RPC Endpoints
• Microsoft Security Update Guide: CVE-2025-49760