Windows network administrators are scrambling to contain the fallout from the release of proof-of-concept code for a nasty Windows Print Spooler vulnerability that exposes Windows servers to remote code execution attacks.
The issue is causing major headaches in security research circles because the exploit targets CVE-2021-1675, a vulnerability that was patched by Microsoft on June 8 and originally misdiagnosed as a low-risk privilege escalation issue.
However, multiple threat hunters are reporting that published demo exploit code provides a code execution path on fully patched Windows servers, meaning that Microsoft’s June patch may have missed the mark.
“Fully patched Windows 2019 domain controller, popped with 0day exploit (CVE-2021-1675) from a regular Domain User’s account giving full SYSTEM privileges. Disable “Print Spooler” service on servers that do not require it,” according to one researcher tracking the issue.
Multiple threat hunters spoke to SecurityWeek on background to warn that applying Microsoft’s June fix does not protect some fully patched Windows servers, including 2012R2, 2016, and 2019.
Microsoft added to the confusing by first misdiagnosing the severity of the bug, only to update its bulletin on June 21 to confirm remote code execution vectors.
At the same time, the Black Hat conference announced the acceptance of a presentation on the details of the vulnerability by researchers at Sangfor, a Chinese security vendor that promptly released proof-of-concept code and a full technical write-up that showed a path to remote code execution.
[ Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited ]
Sangfor was not credited by Microsoft in its bulletin with a fix for the Print Spooler issue, meaning that multiple security research teams independently discovered and exploited this issue.
The demo exploit code was removed by Sangfor, but not before it was copied and actively shared on public forums.
Microsoft has not yet publicly commented on the appearance of proof-of-concept code or the reports and speculation that the fix for CVE-2021-1675 was ineffective.
Print Spooler, which is turned on by default on Microsoft Windows, is an executable file that’s responsible for managing all print jobs getting sent to the computer printer or print server.
Will Dormann, a Vulnerability Analyst at the CERT/CC, called on Microsoft Windows admins to treat this as a very important issue to mitigate.
“If you have the “Print Spooler” service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller. Stop and Disable the service on any DC now,” Dormann said.
Related: Microsoft Warns of Under-Attack Windows Kernel Flaw
Related: NSA Reports New Critical Microsoft Exchange Flaws
Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
- Entro Raises $6M to Tackle Secrets Sprawl
Latest News
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- SBOMs – Software Supply Chain Security’s Future or Fantasy?
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
