CVE-2021-1675

What is Windows Print Spooler?

The Windows Print Spooler service (spoolsv.exe) manages print jobs and communication with printers across Windows. It runs as SYSTEM on all Windows versions and domain controllers, and is enabled by default. The Print Spooler exposes a network RPC interface that allows remote computers to add printers and printer drivers. This design — a SYSTEM-privileged service that installs third-party code (printer drivers) on behalf of clients — creates an inherently dangerous attack surface. A flaw in how Print Spooler validates driver installation requests allows attackers to load arbitrary DLLs as SYSTEM, achieving privilege escalation or remote code execution. Print Spooler vulnerabilities have become one of the most exploited Windows attack surfaces since 2021.

Overview

CVE-2021-1675 is a Windows Print Spooler local privilege escalation vulnerability and part of the PrintNightmare vulnerability cluster. Originally patched in June 2021 Patch Tuesday as a moderate LPE, the Print Spooler bug family exploded into a critical incident when researchers published a proof-of-concept on June 29, 2021 demonstrating both local and remote exploitation. A companion CVE (CVE-2021-34527) was assigned for the remote code execution vector. CVE-2021-1675 represents the local privilege escalation component: a low-privileged user can exploit the Print Spooler to load a malicious DLL and execute code as SYSTEM. Ransomware groups rapidly incorporated Print Spooler exploitation into their attack playbooks. CISA added CVE-2021-1675 to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: The Windows Print Spooler RpcAddPrinterDriverEx() API function allows authenticated users (in some configurations, including domain users) to install printer drivers — the driver installation process loads attacker-controlled DLL files as SYSTEM without adequate validation of the driver binary's authenticity or source
• LPE mechanism: A low-privileged local user calls the Print Spooler API with a reference to a malicious DLL they control; the SYSTEM-privileged spoolsv.exe process loads and executes the DLL — granting the attacker SYSTEM-level code execution
• RCE variant (CVE-2021-34527): The same Print Spooler API is exposed remotely via RPC; an authenticated network user can call it from a remote machine to install the malicious driver on the target — achieving RCE without local access
• Domain controller impact: Domain controllers run Print Spooler by default and all domain users are authenticated users; this means any domain account can potentially escalate to SYSTEM on domain controllers via PrintNightmare
• CVSS discrepancy: The CVSS AV:L rating reflects the local exploitation scenario; the companion CVE-2021-34527 (CVSS 8.8, AV:N) covers the more severe remote exploitation vector — both vulnerabilities share the same underlying Print Spooler design flaw

Discovery

CVE-2021-1675 was originally reported and patched in June 2021 Patch Tuesday. The PrintNightmare crisis emerged when researchers published a PoC on GitHub on June 29, 2021, demonstrating that the Print Spooler attack surface was broader than initially understood — enabling remote code execution in addition to local escalation. Microsoft rapidly published CVE-2021-34527 and issued an emergency out-of-band patch in early July 2021. The ransomware exploitation began within days of the public PoC release.

Exploitation Context

PrintNightmare became one of the most widely exploited vulnerabilities of 2021 within days of the public PoC. Ransomware operators — including Magniber, Vice Society, and others — incorporated Print Spooler exploitation into their post-initial-access playbooks for two primary uses: (1) privilege escalation on endpoints where a low-privileged account was obtained, and (2) lateral movement and code execution on domain controllers to gain domain admin. Domain controllers are particularly impactful targets because domain admin access enables mass ransomware deployment across the entire organization. The CISA KEV addition in November 2021 confirmed the ransomware use that was already widely reported.

Remediation

1. Apply the June 2021 Patch Tuesday update AND the emergency out-of-band patch (July 2021) for CVE-2021-34527 — both are required; June Patch Tuesday alone does not fully address PrintNightmare
2. For domain controllers specifically: Disable Print Spooler on domain controllers if printing is not required — DCs rarely need to be print servers:

   Stop-Service -Name Spooler -Force
   Set-Service -Name Spooler -StartupType Disabled
   

3. Point and Print restriction: Configure Group Policy to restrict Point and Print to trusted print servers only (Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions)
4. Verify the patch is installed: check for KB5004945 (Windows 10 20H1/20H2/21H1) and equivalent KBs for other Windows versions
5. Monitor for anomalous DLL loading by spoolsv.exe — EDR solutions should alert on unknown DLLs loaded by the Print Spooler process
6. Audit which systems require Print Spooler and disable it on servers that do not need it (file servers, web servers, database servers, domain controllers)