CVE-2022-21999

What is Windows Print Spooler?

The Windows Print Spooler service (spoolsv.exe) manages print jobs, printer driver loading, and print queue operations on Windows systems. It runs with SYSTEM privileges and loads printer drivers — a fact that has made it a persistent target for local privilege escalation. After the catastrophic PrintNightmare (CVE-2021-34527) disclosure in mid-2021, Microsoft and the security community identified numerous additional Print Spooler vulnerabilities in the following months, creating a wave of Print Spooler-related CVEs throughout late 2021 and early 2022.

Overview

CVE-2022-21999 is a high-severity Windows Print Spooler privilege escalation vulnerability (CWE-22, CVSS 7.8) in Microsoft Windows. A local attacker with low privileges can exploit a path traversal vulnerability in the Print Spooler service to escalate to SYSTEM. Patched in February 2022 Patch Tuesday, the vulnerability was added to CISA KEV in March 2022 with confirmed active exploitation. ransomwareUse: true — Print Spooler LPE vulnerabilities were actively used by ransomware operators during this period.

Affected Versions

Technical Details

The vulnerability (CWE-22: Path Traversal) exists in the Windows Print Spooler service's file handling operations. The Print Spooler must access printer driver files and print job data files as part of its operations, and does so with SYSTEM-level privileges.

In the vulnerable code path, the Print Spooler processes a file path supplied by a local user without adequately sanitizing path traversal sequences (../ or equivalent Windows path separators). A low-privileged attacker can supply a crafted file path that traverses to a location outside the intended directory, causing the Print Spooler to perform a privileged file operation (write, copy, or permission change) on a system-critical file or directory.

By directing the privileged write to an attacker-controlled executable location (such as a DLL search path), the attacker can achieve code execution with SYSTEM privileges when the Print Spooler (or another SYSTEM process) loads the attacker's file.

Discovery

Discovered by security researchers in the aftermath of the PrintNightmare period, when intensified scrutiny of the Print Spooler identified multiple vulnerability classes. Reported to Microsoft and patched in February 2022.

Exploitation Context

Print Spooler LPE vulnerabilities became a preferred weapon for threat actors throughout 2021–2022:

• Ransomware operators: Used as a reliable privilege escalation step after initial access, providing SYSTEM privileges for AV bypass, shadow copy deletion, and full-disk encryption
• PrintNightmare exploitation chain: CVE-2022-21999 was one of several Print Spooler vulnerabilities that together provided threat actors with multiple pathways to SYSTEM even as Microsoft patched individual issues
• Domain persistence: SYSTEM-level access on a Windows domain member enables DCSync attacks, credential harvesting, and domain-wide lateral movement

The ransomwareUse: true designation reflects documented use by ransomware operators who incorporated Print Spooler LPE into their toolkits as a reliable escalation step in enterprise Windows environments.

Remediation

1. Apply February 2022 Patch Tuesday: Install the cumulative security update via Windows Update.
2. Disable Print Spooler on non-printing systems: On servers, domain controllers, and systems that do not need to print, disable the Print Spooler service entirely to eliminate the attack surface.
3. Restrict printer driver installation: Use Group Policy to prevent non-administrator users from installing printer drivers (Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Devices: Prevent users from installing printer drivers).
4. Monitor Print Spooler activity: Log and alert on unusual Print Spooler activity, particularly driver installations or print job submissions from non-standard accounts.