PrintNightmare — Windows Print Spooler Remote Code Execution
A remote-code-execution vulnerability in the Windows Print Spooler service allows an authenticated attacker to run arbitrary code with SYSTEM privileges, or a domain-authenticated attacker to compromise a domain controller, by abusing the spooler's remote printer-driver installation functionality.
- Vendor
- Microsoft
- Product
- Windows Print Spooler
- CVSS
- 8.8
- Status
- kev
- Published
CVE-2021-34527, dubbed “PrintNightmare,” is a remote-code-execution flaw in the Windows Print Spooler service, which runs by default — and typically with SYSTEM privileges — on nearly every Windows machine, including domain controllers. It came to light after researchers accidentally published proof-of-concept exploit details publicly while a related, distinct spooler bug (CVE-2021-1675) was still being patched by Microsoft, forcing an emergency out-of-band advisory on July 1, 2021.
Why it mattered
The Print Spooler service’s remote printer-driver-installation capability could be abused by an authenticated attacker — including, critically, a low-privileged domain user — to install a malicious driver and execute code as SYSTEM. On a domain controller, where the spooler service commonly runs, this translated to a path to full domain compromise.
Microsoft’s initial patch was incomplete, and further point-in-time bypasses were reported for months afterward, leading many security teams to simply disable the Print Spooler service entirely on servers where printing wasn’t required — Microsoft’s own guidance for high-security environments. The vulnerability was added to CISA’s KEV catalog given confirmed active exploitation. Full patch and mitigation guidance is in Microsoft’s security advisory and at the NVD link above.
