NAVANEM
CVE-2021-34527⚡ exploited in the wild

PrintNightmare, Windows Print Spooler RCE

Windows Print Spooler Remote Code Execution Vulnerability. The Windows Print Spooler service improperly performs privileged file operations. An authenticated attacker who can connect to the Print Spooler RPC interface can execute arbitrary code with SYSTEM privileges, or load arbitrary DLLs as a privileged driver.

Overview

CVE-2021-34527, widely known as "PrintNightmare," is a critical vulnerability in the Windows Print Spooler service that enables both remote code execution and local privilege escalation. The vulnerability exists in the RpcAddPrinterDriverEx API, which improperly handles privileged file operations. An authenticated attacker can exploit this flaw to execute arbitrary code with SYSTEM privileges on any Windows system running the Print Spooler service-which includes workstations, member servers, and critically, domain controllers by default.

Technical Details

The Windows Print Spooler service exposes an RPC interface for managing printers and drivers. The vulnerable RpcAddPrinterDriverEx function accepts an attacker-supplied DLL path without proper validation. When an authenticated user connects to the Print Spooler RPC interface and provides a path to a malicious DLL hosted on a UNC share, the spooler service (running as SYSTEM) loads and executes the attacker's code.

The vulnerability proved particularly challenging to remediate due to multiple bypass variants discovered after initial patches:

  • July 6, 2021: Emergency out-of-band patch KB5004945 released, but researchers demonstrated bypasses within 24 hours
  • July 13, 2021: Patch Tuesday update with stronger fixes, though some bypasses persisted
  • August 10, 2021: Additional fixes addressing related CVEs (CVE-2021-34481, CVE-2021-36936)
  • September 14, 2021: Further hardening with RestrictDriverInstallationToAdministrators enforced by default

Impact

The impact of PrintNightmare was severe, particularly for managed service providers (MSPs) and enterprise environments. Since the Print Spooler runs by default on every Windows installation, including domain controllers, a standard authenticated domain user could compromise a DC and achieve complete domain takeover. Organizations running multi-tenant Active Directory or hybrid environments faced significant risk across all customer environments. The extended timeline of patches and bypasses meant that organizations who applied initial fixes remained vulnerable for months.

Mitigation

  1. Apply all Windows cumulative updates through September 2021 and beyond
  2. Disable the Print Spooler service on Domain Controllers: Stop-Service Spooler; Set-Service -Name Spooler -StartupType Disabled
  3. Disable Print Spooler on servers without printing requirements (file servers, hypervisors, application servers)
  4. Enable RestrictDriverInstallationToAdministrators registry value on all systems including workstations

Detection

No public information available.