First, we examine the Security Support Provider Interface (SSPI). Applications rely on SSPI for security features, such as authentication, and use the interface to send requests to the LSASS. This opens up a large attack surface for malicious applications and has been the source of several security vulnerabilities over the years. We will dissect the architecture of these providers and reveal several new memory corruption vulnerabilities.

Second, we explore the risks of the LSASS acting as a client. Server applications often trigger outgoing connections in scenarios that are frequently overlooked. We will demonstrate how forcing a target server to connect to a malicious endpoint exposes the SSPI client handshake code to attack. The presentation will detail these connection triggers and unveil two new Denial of Service (DoS) bugs that allow unauthenticated attackers to exhaust server resources.

Finally, we target the Remote Procedure Call (RPC) interfaces exposed within domain networks. While many of the RPC endpoints require authentication, several remain exposed to anonymous or unprivileged users. We will analyze these open interfaces and deep-dive into CVE-2025-33056, a logic vulnerability that allows unprivileged accounts to modify LSA database permissions.

In summary, we will map the diverse vulnerability surface that the LSASS exposes in modern environments, covering five distinct findings: two local memory corruptions, two remote DoS primitives, and one reliable remote Elevation of Privilege. Ultimately, we demonstrate that even the most hardened process in Windows can still be toppled if you know exactly where to push.