⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.

CVE-2021-34527PrintNightmare: Improper Privilege Management in Microsoft Windows Print Spooler

CWE-269Improper Privilege Management34 documents17 sources
Severity
8.8HIGHNVD
EPSS
94.2%
top 0.08%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
27
Microsoft Windows 10 Version 1507Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809+24 more
Timeline
PublishedJul 2
KEV addedNov 3
KEV dueMay 3
Latest updateDec 6
CISA Required Action: Apply updates per vendor instructions.

Description

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please se

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages26 packages

CVEListV5microsoft/windows_server_20126.2.06.2.9200.23383
CVEListV5microsoft/windows_server_201610.0.010.0.14393.4470
CVEListV5microsoft/windows_server_2012_r26.3.06.3.9600.20046
CVEListV5microsoft/windows_server_version_20h210.0.010.0.19042.1083
CVEListV5microsoft/windows_server_2008_service_pack_26.0.06.0.6003.21138

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-75f9-mm5v-2rgm: Windows Print Spooler Remote Code Execution Vulnerability2022-05-24
CVEList
Windows Print Spooler Remote Code Execution Vulnerability2021-07-02
VulnCheck
Microsoft Windows Print Spooler Remote Code Execution Vulnerability2021

🔍Detection Rules

2
Elastic
Potential PrintNightmare File Modification
Elastic
Potential PrintNightmare Exploit Registry Modification

📋Vendor Advisories

2
CISA
Microsoft Windows Print Spooler Remote Code Execution Vulnerability2021-11-03
Microsoft
Windows Print Spooler Remote Code Execution Vulnerability2021-07-13

🕵️Threat Intelligence

19
Unit42
Vice Society: Profiling a Persistent Threat to the Education Sector2022-12-06
Talos
Vice Society leverages PrintNightmare in ransomware attacks2021-08-12
Talos
Vice Society leverages PrintNightmare in ransomware attacks2021-08-12
Unit42
Threat Brief: Windows Print Spooler RCE Vulnerability (CVE-2021-34527 AKA PrintNightmare)2021-07-14
Unit42
Threat Brief: Windows Print Spooler RCE Vulnerability (CVE-2021-34527 AKA PrintNightmare)2021-07-14

📄Research Papers

2
CTF
CVE-XXXX-XXXX / README2022
CTF
100-CVE-XXXX-XXXX / README2022