cbcvebase.
CVE-2016-3238
published 2016-07-13

CVE-2016-3238: The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2…

PriorityP261high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
35.42%
98.2th percentile
The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows man-in-the-middle attackers to execute arbitrary code by providing a crafted print driver during printer installation, aka "Windows Print Spooler Remote Code Execution Vulnerability."

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts via man-in-the-middle attacks against the Windows Print Spooler service during printer installation from a remote server — look for unexpected or unsigned print driver installations originating from non-trusted print servers
  • Monitor the Windows Print Spooler service (spoolsv.exe) for installation of untrusted or unvalidated print drivers, particularly from remote/network sources
  • Alert on Point and Print driver installations from print servers not explicitly whitelisted via Point and Print Restrictions Group Policy — rogue print server setup is a key attack vector
  • ·The vulnerability affects a wide range of Windows OS versions; ensure detection and patching scope covers all listed platforms
  • ·Post-patch behavior changes: the update issues a warning to users attempting to install untrusted printer drivers — detection logic should account for the fact that patched systems will surface a UI warning rather than silently installing drivers
  • ·Point and Print Restrictions policy can be used as a compensating control to limit printer installation to trusted servers — review KB2307161 and KB319939 for OS-specific configuration options

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.