CVE-2022-38028

What is the Windows Print Spooler?

The Windows Print Spooler (spoolsv.exe) is a long-running service that manages print queues and printer driver interactions. It runs as SYSTEM, making it a perennial target for privilege escalation. Previous high-profile Print Spooler vulnerabilities include PrintNightmare (CVE-2021-34527) and a series of related bugs. CVE-2022-38028 is another entry in this pattern, exploited by a sophisticated nation-state actor years after patching.

Overview

CVE-2022-38028 is a privilege escalation vulnerability in the Windows Print Spooler service. An attacker with local access can modify a JavaScript constraints file that is subsequently executed by the Print Spooler with SYSTEM-level permissions. The vulnerability was patched in October 2022 but only added to CISA KEV in April 2024 after Microsoft and US intelligence agencies publicly attributed its exploitation to the Russian GRU-linked group Forest Blizzard (also known as APT28 or Fancy Bear) via a custom post-exploitation tool called GooseEgg.

Affected Versions

Technical Details

The Print Spooler service supports JavaScript-based printer constraints files as part of the Point and Print mechanism. The vulnerability allows a low-privileged local attacker to place or modify a JavaScript file in a path that the Print Spooler service will subsequently load and execute with SYSTEM privileges.

• Attack vector: Local — requires an existing foothold (low-privileged user account) on the target system
• Privileges required: Low — a standard unprivileged domain user is sufficient
• User interaction: None — exploitation is fully automated once a foothold is established
• Chaining: Used as the privilege escalation step in a broader intrusion chain — Forest Blizzard paired it with credential theft tools to dump NTLM hashes and Kerberos tickets after achieving SYSTEM

The GooseEgg tool is a Windows application that exploits this flaw to launch attacker-specified processes (shells, DLLs) with SYSTEM-level permissions. GooseEgg also maintains a persistence mechanism to re-launch itself after reboots.

Discovery

The vulnerability was discovered internally and patched by Microsoft in October 2022. The degree of exploitation was not publicly known until April 2024, when Microsoft Threat Intelligence and a joint advisory from NSA, CISA, FBI, and UK NCSC revealed that Forest Blizzard had been exploiting it since at least June 2020 — approximately two years before the CVE was assigned.

Exploitation Context

Forest Blizzard (GRU Unit 26165, also tracked as APT28/Fancy Bear/STRONTIUM) is a Russian military intelligence cyberespionage unit. The group exploited CVE-2022-38028 as part of targeted operations against US, European, and Ukrainian government, defense, energy, and transportation sectors. After achieving SYSTEM via GooseEgg, the actor dumped credentials, moved laterally across networks, and exfiltrated sensitive data. Exploitation was confirmed to have pre-dated the October 2022 patch by roughly two years.

Remediation

1. Apply the October 2022 Patch Tuesday cumulative updates for all affected Windows versions (KB5018427, KB5018418, etc.)
2. If patching is delayed, consider disabling the Print Spooler on servers and endpoints that do not require printing: Stop-Service -Name Spooler -Force; Set-Service -Name Spooler -StartupType Disabled
3. Restrict Point and Print to approved print servers via Group Policy
4. Review event logs for GooseEgg indicators: unexpected processes launched by spoolsv.exe, unusual SYSTEM-context JavaScript execution
5. Hunt for GooseEgg artifacts: the tool drops files with names like wayzgoose.exe, JetSetGo.exe, and servtask.bat