Security Experts:

Connect with us

Hi, what are you looking for?



CISA Issues Emergency Directive to Address ‘PrintNightmare’ Vulnerability

CISA says multiple threat actors are exploiting the Windows ‘PrintNightmare’ vulnerability

CISA says multiple threat actors are exploiting the Windows ‘PrintNightmare’ vulnerability

The United States Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued Emergency Directive 21-04, which requires all federal agencies to apply the available patches for the recently disclosed Microsoft Print Spooler service vulnerability within one week.

The agency warns that the vulnerability has been actively exploited by multiple threat actors. Microsoft’s advisory also says the flaw has been exploited, but no information is available on the attacks.

Tracked as CVE-2021-34527 and dubbed PrintNightmare, the vulnerability exists because the Print Spooler service “improperly performs privileged file operations.” The service offers unrestricted access to features that allow users to add printers and related drivers.

A remote attacker can exploit PrintNightmare to execute arbitrary code on a vulnerable system. The attacker would have to be authenticated, but the code would run with SYSTEM privileges, thus leading to a full system compromise.

[ ReadDid Microsoft Botch the PrintNightmare Patch? ]

Successful exploitation could allow a threat actor “to quickly compromise the entire identity infrastructure of a targeted organization,” CISA says.

Microsoft has released an emergency patch to address the vulnerability, and while security experts have pointed out problems with the fix, the company insists that it works as intended.

An operational component under the Department of Homeland Security (DHS), CISA on Tuesday informed federal agencies that they should apply the patches that Microsoft released for PrintNightmare by July 20, 2021, and that they should immediately disable the Print Spooler service on all Active Directory (AD) Domain Controllers (DC).

“CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” the agency notes.

With Emergency Directive 21-04, federal agencies are also required to either stop and disable the Print Spooler service on Windows hosts, or change Point and Print Restrictions Group Policy settings and policies to ensure that warnings are displayed upon unauthorized access attempts.

Federal agencies also have to ensure until July 20 that all “newly provisioned or previously disconnected servers and workstations are updated” and that the aforementioned settings are defined before they are connected to agency networks. By July 21, 2021, all federal agencies have to submit a completion report of these actions.

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: DHS Gives Federal Agencies 5 Days to Identify Vulnerable MS Exchange Servers

Related: DHS Orders Federal Agencies to Immediately Patch ‘Zerologon’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...