CVE-2022-41073

What is Windows Print Spooler?

The Windows Print Spooler (spoolsv.exe) is a privileged Windows service that manages print jobs and communication with printer drivers. It runs as SYSTEM and is responsible for loading printer drivers, queuing print jobs, and interfacing with both local and network printers. Print Spooler's SYSTEM-level execution context makes it a perennially high-value target for privilege escalation: a vulnerability that allows a low-privileged user to influence Print Spooler's code execution — through driver manipulation, job processing bugs, or memory corruption — yields SYSTEM-level control. The Print Spooler exploitation era was defined by PrintNightmare (CVE-2021-34527) in mid-2021, but vulnerabilities in the component continued to be discovered and exploited through 2022.

Overview

CVE-2022-41073 is a Windows Print Spooler elevation of privilege vulnerability (CWE-787 — out-of-bounds write) that allows a local attacker with low privileges to escalate to SYSTEM-level access. Microsoft patched it on November 8, 2022 (Patch Tuesday) as an actively exploited zero-day — simultaneously added to the CISA KEV catalog the same day, one day before NVD's formal publication. The ransomwareUse: true designation reflects confirmed use of Windows Print Spooler LPE vulnerabilities as part of ransomware post-exploitation chains.

Affected Versions

Technical Details

An out-of-bounds write (CWE-787) in the Print Spooler service allows a low-privileged local user to corrupt spoolsv.exe's memory and ultimately redirect its SYSTEM-level execution. The exploitation path for Print Spooler LPE vulnerabilities typically involves:

1. Interact with the Print Spooler via its local RPC interface — Windows exposes Print Spooler management functions through a local RPC endpoint accessible to standard user accounts
2. Trigger the memory corruption — call a Print Spooler function with crafted parameters that cause an out-of-bounds write in the privileged service process
3. Corrupt spoolsv.exe's memory — the write corrupts a data structure or function pointer within the SYSTEM-context spoolsv.exe process
4. Achieve SYSTEM code execution — leverage the corrupted memory to redirect spoolsv.exe's execution to attacker-controlled code, obtaining SYSTEM privileges

With SYSTEM privileges, a ransomware operator can disable security software, encrypt volumes, exfiltrate data, and move laterally across the network with maximum permissions.

Discovery

CVE-2022-41073 was patched as a November 2022 Patch Tuesday zero-day with confirmed active exploitation at patch time. The simultaneous KEV addition on Patch Tuesday confirms CISA was aware of exploitation before the patch shipped.

Exploitation Context

Print Spooler LPE vulnerabilities have been consistently weaponized by ransomware operators as post-exploitation privilege escalation steps since PrintNightmare (2021). The typical ransomware kill chain:

1. Gain initial network access (via phishing, exploiting an internet-facing service, or stolen credentials)
2. Execute in a low-privilege context (domain user, local user)
3. Apply a Windows LPE (Print Spooler, Win32k, CLFS, etc.) to escalate to SYSTEM
4. Deploy ransomware with SYSTEM privileges to maximize impact and bypass per-user protections

CVE-2022-41073 represents the continuation of this pattern: even with PrintNightmare patched, the Print Spooler attack surface remained productive for zero-day discovery through 2022.

Remediation

1. Apply the November 2022 Windows cumulative update — patches CVE-2022-41073 in the Print Spooler service across all affected Windows versions.
2. Disable Print Spooler on servers that don't require printing — on domain controllers, servers, and workstations that don't use the print service, disable Print Spooler via Group Policy (Computer Configuration → Windows Settings → Security Settings → System Services → Print Spooler → Disabled). This is a Microsoft best-practice recommendation since PrintNightmare.
3. Restrict Print Spooler remote and local access — if Print Spooler cannot be disabled, limit its attack surface by blocking inbound remote Print Spooler access at the firewall and restricting local Print Spooler RPC access via Group Policy.
4. Deploy endpoint detection and response (EDR) — monitor for anomalous spoolsv.exe behavior — unexpected child processes, unusual DLL loads, elevated process creation — as indicators of Print Spooler exploitation.
5. Apply Windows Defender Credential Guard and Attack Surface Reduction rules — ASR rules can block abuse of vulnerable system services in common exploitation patterns.