A newly discovered vulnerability in Microsoft's Windows Remote Procedure Call (RPC) communication protocol, known as CVE-2025-49760, can be exploited to conduct spoofing attacks. This Windows Storage spoofing bug allows an authorized attacker to manipulate the protocol, resulting in EPM poisoning attacks. Attackers can pose as legitimate services and coerce processes to authenticate against arbitrary servers. The flaw was fixed in July 2025, with details shared by a researcher at DEF CON 33. The vulnerability exploits the dynamic endpoint connections used by RPC clients.
"External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network," the company said in an advisory released last month.
The vulnerability essentially makes it possible to manipulate a core component of the RPC protocol and stage what's called an EPM poisoning attack that allows unprivileged users to pose as a legitimate, built-in service.
I was shocked to discover that nothing stopped me from registering known, built-in interfaces that belong to core services," Ben Yizhak said in a report.
The Windows RPC protocol utilizes universally unique identifiers (UUIDs) and an Endpoint Mapper (EPM) to enable the use of dynamic endpoints in client-server communications.
Collection
[
|
...
]