Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Microsoft Confirms (Yet Another) PrintNightmare Flaw as Ransomware Actors Pounce

Exasperated Windows fleet administrators woke up Thursday to news of a new, unpatched Print Spooler vulnerability that leaves machines exposed to remote code execution attacks.

Exasperated Windows fleet administrators woke up Thursday to news of a new, unpatched Print Spooler vulnerability that leaves machines exposed to remote code execution attacks.

Microsoft released a pre-patch advisory to confirm the severe new vulnerability after researchers published video of demo exploits on Twitter showing that Redmond’s latest PrintNightmare update was again problematic.

To make matters worse, anti-malware vendor CrowdStrike is warning that ransomware actors are already targeting one of the Windows PrintNightmare vulnerabilities to launch data-encrypting extortion attacks in South Korea.

Microsoft’s confirmation comes just days after the Patch Tuesday release of security patches and changed an OS default setting to attempt to fix a class of Print Spooler flaws that have haunted the Windows ecosystem since at least June 2021.

[ Related: Microsoft Takes Another Stab at PrintNightmare Security Fix ]

From Microsoft’s latest advisory (CVE-2021-36958):

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The only workaround for this vulnerability is stopping and disabling the Print Spooler service.

Print Spooler, turned on by default on Microsoft Windows, is an executable file that’s responsible for managing all print jobs getting sent to the computer printer or print server.

Microsoft credited Accenture’s Victor Mata with reporting the bug.  Separately, Mimikatz creator Benjamin Delpy published a video to show that Microsoft’s patch again missed the mark.  

[ Related: Did Microsoft Botch the PrintNightmare Patch? ]

The issue has been a public embarrassment for Microsoft and suggests deep problems at the once-mighty MSRC (Microsoft Security Response Center).

In the midst of Microsoft’s hiccups, Crowdstrike is reporting that a known ransomware gang is attempting to exploit a known PrintNightmare flaw to launch data-encryption and extortion attacks.

A blog post from CrowdStike provides a timeline of the PrintNightmare class of bugs and warned that an exploit for one of the flaws — CVE-2021-34527 — have been used to plant ransomware on Windows machines in South Korea 

“The new incident involving Magniber ransomware using the recent PrintNightmare Printer Spooler vulnerability is surprising, but not uncommon considering the impact of the vulnerability. Several POCs have been in circulation since the issue was reported, and it was only a matter of time until adversaries attempted to leverage it to compromise victims and deliver malicious payloads,” CrowdStrike noted.

Related: Microsoft Takes Another Stab at PrintNightmare Security Fix

Related: Microsoft Ships Emergency PrintNightmare Patch

Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.