Connect with us

Hi, what are you looking for?


Application Security

Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw Exposure

Windows network administrators are scrambling to contain the fallout from the release of proof-of-concept code for a nasty Windows Print Spooler vulnerability that exposes Windows servers to remote code execution attacks.

Windows network administrators are scrambling to contain the fallout from the release of proof-of-concept code for a nasty Windows Print Spooler vulnerability that exposes Windows servers to remote code execution attacks.

The issue is causing major headaches in security research circles because the exploit targets CVE-2021-1675, a vulnerability that was patched by Microsoft on June 8 and originally misdiagnosed as a low-risk privilege escalation issue.

However, multiple threat hunters are reporting that published demo exploit code provides a code execution path on fully patched Windows servers, meaning that Microsoft’s June patch may have missed the mark.

“Fully patched Windows 2019 domain controller, popped with 0day exploit (CVE-2021-1675) from a regular Domain User’s account giving full SYSTEM privileges. Disable “Print Spooler” service on servers that do not require it,” according to one researcher tracking the issue.  

Multiple threat hunters spoke to SecurityWeek on background to warn that applying Microsoft’s June fix does not protect some fully patched Windows servers, including 2012R2, 2016, and 2019.

Microsoft added to the confusing by first misdiagnosing the severity of the bug, only to update its bulletin on June 21 to confirm remote code execution vectors.

At the same time, the Black Hat conference announced the acceptance of a presentation on the details of the vulnerability by researchers at Sangfor, a Chinese security vendor that promptly released proof-of-concept code and a full technical write-up that showed a path to remote code execution.

Advertisement. Scroll to continue reading.

[ Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited ]

Sangfor was not credited by Microsoft in its bulletin with a fix for the Print Spooler issue, meaning that multiple security research teams independently discovered and exploited this issue.

The demo exploit code was removed by Sangfor, but not before it was copied and actively shared on public forums.

Microsoft has not yet publicly commented on the appearance of proof-of-concept code or the reports and speculation that the fix for CVE-2021-1675 was ineffective.

Print Spooler, which is turned on by default on Microsoft Windows, is an executable file that’s responsible for managing all print jobs getting sent to the computer printer or print server.

Will Dormann, a Vulnerability Analyst at the CERT/CC, called on Microsoft Windows admins to treat this as a very important issue to mitigate.

“If you have the “Print Spooler” service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller. Stop and Disable the service on any DC now,” Dormann said.

Related: Microsoft Warns of Under-Attack Windows Kernel Flaw

Related: NSA Reports New Critical Microsoft Exchange Flaws 

Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...