{"id":2737,"date":"2021-07-05T12:10:19","date_gmt":"2021-07-05T10:10:19","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2737"},"modified":"2026-06-08T22:48:18","modified_gmt":"2026-06-08T22:48:18","slug":"printnightmare-critical-vulnerability","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/printnightmare-critical-vulnerability\/","title":{"rendered":"Critical vulnerability: PrintNightmare"},"content":{"rendered":"\n<p style=\"text-align: justify\">At the end of June, a new vulnerability affecting the Windows Print Spooler (<strong>CVE-2021-1675<\/strong>) was discovered, which permitted arbitrary code execution with administrative privileges (<strong>Local Privilege Escalation<\/strong>). On 1 July 2021, following publications by two research teams, Microsoft released an advisory on vulnerability <strong>CVE-2021-34527<\/strong>, through which it is possible not only to execute code with administrative privileges, but also to execute code remotely (<strong>Remote Code Execution<\/strong>).<\/p>\n<p style=\"text-align: justify\">The new vulnerability was named <strong>PrintNightmare<\/strong> and <strong>affects all Windows systems (Server and PC) with the Print Spooler service active<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Details<\/h2>\n\n\n\n<p style=\"text-align: justify\">To exploit the vulnerability, an attacker must possess valid credentials for an account or already be authenticated.<\/p>\n<p style=\"text-align: justify\">The vulnerability involves the use of the <code><strong>RpcAddPrinterDriverEx<\/strong><\/code> function by the Windows <strong>Print Spooler<\/strong> service, which fails to restrict access to administrative users only.<\/p>\n<p style=\"text-align: justify\">The <code><strong>RpcAddPrinterDriverEx<\/strong><\/code> function is used to install a printer driver on a system. One of the function&#8217;s parameters is the <code><strong>DRIVER_CONTAINER<\/strong><\/code> object, which contains information about which driver should be used by the added printer. The other argument is <code><strong>dwFileCopyFlags<\/strong><\/code> and specifies how the new printer driver replacement files should be copied. An attacker can exploit the ability that every authenticated user has to call the <code><strong>RpcAddPrinterDriverEx<\/strong><\/code> function and specify a file residing on a remote server. In this way, the Print Spooler service, <code><strong>spoolsv.exe<\/strong><\/code>, will execute code present in an arbitrary DLL file with <strong>SYSTEM<\/strong> privileges. Our <a href=\"https:\/\/fortgale.com\/en\/cybersecurity-advisory\/\">Cybersecurity Advisory<\/a> team has tracked multiple exploitation attempts leveraging this attack chain across enterprise environments.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Mitigation<\/h2>\n\n\n\n<p style=\"text-align: justify\">Microsoft has already released guidelines to mitigate the effects of this new vulnerability <a aria-label=\"on its website (opens in a new tab)\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34527\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"ek-link\">at this link.<\/a><\/p>\n<p style=\"text-align: justify\">In any case, it is highly recommended to disable the <strong>Print Spooler<\/strong> service, pending a patch from Microsoft.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Service Disablement<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>Determine if the Print Spooler service is running<\/strong><\/p><p>Run the following:<\/p><p><code>Get-Service -Name Spooler<\/code><\/p><p>If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:<\/p><p><strong>Option 1 &#8211; Disable the Print Spooler service<\/strong><\/p><p>If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:<\/p><p><code>Stop-Service -Name Spooler -Force<\/code><\/p><p><code>Set-Service -Name Spooler -StartupType Disabled<\/code><\/p><p><strong>Impact of workaround<\/strong>&nbsp;Disabling the Print Spooler service disables the ability to print both locally and remotely.<\/p><p><strong>Option 2 &#8211; Disable inbound remote printing through Group Policy<\/strong><\/p><p>You can also configure the settings via Group Policy as follows:<\/p><p>Computer Configuration \/ Administrative Templates \/ Printers<\/p><p>Disable the &#8220;Allow Print Spooler to accept client connections:&#8221; policy to block remote attacks.<\/p><p>You must restart the Print Spooler service for the group policy to take effect.<\/p><p><strong>Impact of workaround<\/strong>&nbsp;This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>PrintNightmare (CVE-2021-34527): Windows Print Spooler privilege escalation and RCE, exploitation primitives, mitigation steps and detection across Windows estates.<\/p>\n","protected":false},"author":1,"featured_media":2779,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[89,3216,227,3217,3215,273,274,390],"class_list":["post-2737","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-cve","tag-cve-2021-34527","tag-microsoft","tag-print-spooler","tag-printnightmare","tag-printspooler","tag-privilege-escalation","tag-windows"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2737"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2737\/revisions"}],"predecessor-version":[{"id":9873,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2737\/revisions\/9873"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}