Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2021-34527

PrintNightmare — Windows Print Spooler Remote Code Execution

A remote-code-execution vulnerability in the Windows Print Spooler service allows an authenticated attacker to run arbitrary code with SYSTEM privileges, or a domain-authenticated attacker to compromise a domain controller, by abusing the spooler's remote printer-driver installation functionality.

cat cve-2021-34527.json
Vendor
Microsoft
Product
Windows Print Spooler
CVSS
8.8
Status
kev
Published

CVE-2021-34527, dubbed “PrintNightmare,” is a remote-code-execution flaw in the Windows Print Spooler service, which runs by default — and typically with SYSTEM privileges — on nearly every Windows machine, including domain controllers. It came to light after researchers accidentally published proof-of-concept exploit details publicly while a related, distinct spooler bug (CVE-2021-1675) was still being patched by Microsoft, forcing an emergency out-of-band advisory on July 1, 2021.

Why it mattered

The Print Spooler service’s remote printer-driver-installation capability could be abused by an authenticated attacker — including, critically, a low-privileged domain user — to install a malicious driver and execute code as SYSTEM. On a domain controller, where the spooler service commonly runs, this translated to a path to full domain compromise.

Microsoft’s initial patch was incomplete, and further point-in-time bypasses were reported for months afterward, leading many security teams to simply disable the Print Spooler service entirely on servers where printing wasn’t required — Microsoft’s own guidance for high-security environments. The vulnerability was added to CISA’s KEV catalog given confirmed active exploitation. Full patch and mitigation guidance is in Microsoft’s security advisory and at the NVD link above.