CVE-2022-22718

What is the Windows Print Spooler?

The Windows Print Spooler (spoolsv.exe) manages print queues and printer driver interactions. It runs under the SYSTEM account and has been a high-priority target since the PrintNightmare vulnerabilities (CVE-2021-1675, CVE-2021-34527) demonstrated the Print Spooler's value as a SYSTEM escalation surface. Microsoft has patched a continuing series of Print Spooler privilege escalation vulnerabilities throughout 2021–2022 as security researchers and threat actors continue to probe the attack surface.

Overview

CVE-2022-22718 is a privilege escalation vulnerability in the Windows Print Spooler service. A low-privileged local attacker can exploit the flaw to escalate to SYSTEM-level privileges. The vulnerability was patched in February 2022, but CISA added it to KEV in April 2022, suggesting evidence of in-the-wild exploitation was discovered in the two months between patching and catalog addition.

Affected Versions

Technical Details

The specific technical details of CVE-2022-22718 were not publicly disclosed by Microsoft. As part of the sustained Print Spooler vulnerability series, the flaw is in the Spooler's handling of printer driver operations, job management, or the RPC interface — all areas that have yielded SYSTEM escalation in related vulnerabilities.

• Attack vector: Local — requires a foothold with a low-privilege account
• Privileges required: Low — standard user account
• User interaction: None — fully automated post-access
• Impact: Full SYSTEM privilege escalation; complete OS control

The Spooler service's SYSTEM context is the key exploit primitive: gaining control of any Spooler operation with attacker-influenced data can yield SYSTEM code execution.

Discovery

Reported to Microsoft through coordinated disclosure. The two-month gap between the February patch and April KEV addition suggests in-the-wild exploitation was observed after reverse engineering the patch.

Exploitation Context

Print Spooler vulnerabilities are a mainstay of post-exploitation toolkits. Following PrintNightmare in 2021, attackers and security researchers invested heavily in finding additional Spooler bugs. CVE-2022-22718 is part of this ongoing exploitation of the Spooler attack surface. CISA added it to KEV in April 2022 alongside a cluster of other Print Spooler and Windows privilege escalation vulnerabilities that were being actively exploited in intrusion campaigns.

Remediation

1. Apply the February 2022 Patch Tuesday cumulative update for your Windows version
2. For systems that cannot be patched immediately, consider disabling the Print Spooler on non-printing endpoints and servers: Stop-Service -Name Spooler -Force; Set-Service -Name Spooler -StartupType Disabled
3. Restrict network Print Spooler access: block RPC/SMB traffic to the Spooler from untrusted network segments
4. Apply the Group Policy "Point and Print Restrictions" settings to limit which print servers can install drivers
5. Monitor for suspicious child processes of spoolsv.exe — unusual process spawning from the Spooler is an exploitation indicator