CVE-2021-34527

Microsoft Windows 'PrintNightmare' — Print Spooler Driver Installation Allows Authenticated Remote Code Execution as SYSTEM
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on November 3, 2021. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2021-34527, nicknamed "PrintNightmare," is a remote code execution vulnerability in the Windows Print Spooler service (spoolsv.exe). Any authenticated domain user can install a printer driver by pointing the Spooler service to a remote UNC path containing a malicious DLL, which the Spooler loads and executes as NT AUTHORITY\SYSTEM — the highest privilege level on Windows. Because the Print Spooler runs as SYSTEM and is enabled by default on all Windows versions (including domain controllers), PrintNightmare provides any domain user an instant path to full domain compromise.

The vulnerability's disclosure was accidental: researchers at QiAnXin and Sangfor published a PoC on GitHub believing the June 2021 Patch Tuesday had already addressed the issue, when in fact it fixed only a related local privilege escalation variant (CVE-2021-1675). The published PoC demonstrated an entirely unpatched RCE path, triggering an emergency response.

What Is the Windows Print Spooler?

The Print Spooler service (spoolsv.exe) manages print jobs and printer driver installation on Windows. It is enabled by default on all Windows versions — including domain controllers, where printing functionality is rarely needed. The Spooler exposes RPC endpoints accessible to any domain user, and its driver installation functionality was designed to allow remote management of printers. Running as SYSTEM, any code it loads inherits full system privileges.

Affected Versions

All versions of Windows with the Print Spooler service running are affected, including:

Platform Status
Windows 7 / Server 2008 R2 Affected
Windows 8.1 / Server 2012 R2 Affected
Windows 10 (all versions) Affected
Windows Server 2016 Affected
Windows Server 2019 Affected
Windows Server 2022 Affected
Domain Controllers (all versions) Highest priority — DC compromise = domain compromise

The Print Spooler is enabled by default on all the above. Servers with the Spooler disabled are not vulnerable to the remote variant.

Technical Details

Root Cause: Privileged Driver Installation via Remote UNC Path

The Print Spooler's RpcAddPrinterDriverEx function (exposed via the MS-RPRN and MS-PAR RPC protocols) allows authenticated domain users to install printer drivers. The function accepts a path to the driver files — including remote UNC paths (\\attacker\share\evil.dll). The Spooler service, running as SYSTEM, connects to the attacker's SMB share and loads the DLL, executing attacker-supplied code with SYSTEM privileges.

The core access control failure: non-administrative users should not be able to install drivers that execute as SYSTEM. The AddPrinterDriver path was intended for printer administrators, but the access check was insufficiently enforced for remote path-based driver installation.

Two Attack Variants

Remote (RCE) — CVE-2021-34527:

  • Requires a low-privileged domain user account (any domain user, no special permissions)
  • Attacker hosts an SMB share with a malicious DLL
  • Sends a crafted RPC call to RpcAddPrinterDriverEx on the target pointing to the malicious share
  • The Spooler on the target loads the DLL as SYSTEM
  • Achieves remote code execution on any Windows host running the Spooler service

Local (LPE) — CVE-2021-1675 / related variant:

  • Does not require a remote share — can load DLLs from the local filesystem
  • Requires local code execution (not domain access)
  • Elevates a local standard user to SYSTEM

The remote variant is most impactful in domain environments because:

  1. Any domain user can exploit any domain member running the Print Spooler
  2. Domain controllers run the Spooler by default — a standard user can become a Domain Admin

Attack Characteristics

Attribute Detail
Attack Vector Network — RPC/SMB (port 445 or dynamic RPC port)
Privileges Required Low — any domain user account
Code Execution Privilege SYSTEM
Domain Controller Risk Critical — any domain user → Domain Admin via DC compromise
Spooler Disabled Fully mitigated — Print Spooler must be running

Discovery

The vulnerability arose from a chaotic multi-party disclosure. Researchers at QiAnXin and separately at Sangfor (Chinese security firms) independently discovered a Print Spooler RCE vulnerability. When Microsoft's June 2021 Patch Tuesday included a fix for the related CVE-2021-1675 (a local privilege escalation), the Sangfor/QiAnXin researchers believed their finding had been addressed and published their PoC on GitHub on June 29, 2021. The PoC — which exploited a different, still-unpatched code path — was quickly recognized by the security community as a live zero-day. cube0x0 re-implemented the exploit using Impacket for remote exploitation, making it trivially accessible. Microsoft assigned CVE-2021-34527 and issued an emergency patch.

Exploitation Context

  • Domain takeover path: PrintNightmare became the fastest path from domain user to Domain Admin in 2021 — a single RPC call to any DC
  • Ransomware use: Confirmed; multiple ransomware operators incorporated PrintNightmare into their lateral movement and privilege escalation playbooks
  • Patch complications: The initial emergency patch (KB5004945, July 6) was found to still permit the LPE variant under certain Group Policy configurations, requiring a second patch the following day
  • Ongoing variants: The Print Spooler was found to contain multiple additional vulnerabilities in 2021 (CVE-2021-36958, CVE-2021-36947, and others), each enabling SYSTEM code execution — leading Microsoft to eventually recommend disabling the Spooler entirely on systems that don't need printing

Remediation

CISA BOD 22-01 Deadline: May 3, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Immediate Mitigation: Disable Print Spooler

On any system that does not need to print (domain controllers, servers, most workstations that print via a print server):

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Domain Controllers: Print Spooler should never be running on domain controllers. Disabling it is the single most impactful step and eliminates the domain takeover path.

Recommended Actions

  1. Apply the July 2021 emergency patch (KB5004945 and the subsequent updated patch). Verify via Get-HotFix -Id KB5004945.

  2. Disable Print Spooler on all DCs and non-print servers using the PowerShell above or Group Policy (Computer Configuration\Windows Settings\Security Settings\System Services\Print Spooler).

  3. Restrict printer driver installation via Group Policy: Computer Configuration\Administrative Templates\Printers\Limits print driver installation to Administrators — set to Enabled. This blocks non-admin users from installing drivers even if the Spooler is running.

  4. Block inbound SMB (port 445) at the perimeter and between network segments where printing is not required, limiting the remote exploitation vector.

  5. Audit Print Spooler status across the environment: Get-Service -ComputerName * -Name Spooler | Where-Object Status -eq Running to identify systems still running the service.

Key Details

PropertyValue
CVE ID CVE-2021-34527
Vendor / Product Microsoft — Windows
NVD Published2021-07-02
NVD Last Modified2025-12-18
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-284 — Improper Access Control
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2021-06-08Microsoft patches CVE-2021-1675 (Print Spooler LPE) in June Patch Tuesday — believed to fix all Print Spooler issues
2021-06-29Researchers from QiAnXin and Sangfor accidentally publish a full RCE PoC on GitHub, believing CVE-2021-1675 patch covered it — the PoC demonstrates a separate, unpatched RCE vulnerability
2021-06-29PoC goes viral; Microsoft confirms it is a new, unpatched vulnerability; assigns CVE-2021-34527
2021-07-01CISA Emergency Directive ED 21-04 issued; Microsoft recommends disabling Print Spooler
2021-07-06Microsoft releases emergency out-of-band patch (KB5004945); initial patch found incomplete — LPE variant still possible
2021-07-07Microsoft releases updated patch addressing LPE variant
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2021-34527 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Response Center — CVE-2021-34527 Vendor Advisory
PrintNightmare PoC — cube0x0 (original accidental disclosure) Security Research
CISA Emergency Directive ED 21-04 — Mitigate Windows Print Spooler Service Vulnerability US Government
BleepingComputer: PrintNightmare 0-Day Allows Domain Takeover Security Research
CWE-284 — Improper Access Control Weakness Classification

Last updated: 2026-05-01

Gavin Hollinger & AI assembled this air-gap friendly HTML