CVE-2021-1675 Overview
CVE-2021-1675, commonly known as "PrintNightmare," is a critical Windows Print Spooler Remote Code Execution vulnerability that affects virtually all versions of Microsoft Windows. This vulnerability allows attackers to execute arbitrary code with SYSTEM-level privileges by exploiting flaws in the Windows Print Spooler service, which handles print job management and printer driver installation across Windows systems.
The vulnerability is particularly dangerous because the Print Spooler service runs by default on most Windows systems, including domain controllers, making it an attractive target for attackers seeking to gain elevated privileges or move laterally within enterprise environments.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and has been actively exploited in the wild. Successful exploitation grants attackers SYSTEM-level access, enabling complete compromise of affected systems including domain controllers.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 1909, 2004, 20H2, 21H1)
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1 and Windows RT 8.1
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2004
Discovery Timeline
- June 8, 2021 - CVE-2021-1675 published to NVD
- October 30, 2025 - Last updated in NVD database
Technical Details for CVE-2021-1675
Vulnerability Analysis
The Windows Print Spooler Remote Code Execution vulnerability exists due to improper privilege handling within the Print Spooler service (spoolsv.exe). The vulnerability allows authenticated users to install malicious printer drivers, which are then executed with SYSTEM privileges. This creates a direct path from low-privileged user access to complete system compromise.
The Print Spooler service is responsible for managing print jobs and handling the installation of printer drivers. In vulnerable configurations, the service fails to properly validate driver installations and does not adequately restrict which users can add new printer drivers to the system. This architectural flaw means that any authenticated domain user can potentially exploit this vulnerability to gain SYSTEM-level access on any machine running the vulnerable Print Spooler service.
Root Cause
The root cause of CVE-2021-1675 lies in the RpcAddPrinterDriverEx() function within the Print Spooler service. This function allows users to install printer drivers remotely without proper access control validation. The vulnerable code path fails to:
- Properly validate the source of printer driver files
- Enforce appropriate privilege restrictions on driver installation
- Verify the authenticity and integrity of driver DLLs being loaded
When a malicious DLL is placed in a location accessible to the target system and the RpcAddPrinterDriverEx() function is called with appropriate parameters, the Print Spooler service loads and executes the attacker-controlled DLL with SYSTEM privileges.
Attack Vector
The attack leverages the Windows print system's architecture, which was designed to allow flexible driver installation for print management convenience. An attacker with valid domain credentials can exploit this vulnerability through the following mechanism:
- The attacker hosts a malicious DLL file on an SMB share accessible to the target system
- Using the RpcAddPrinterDriverEx() RPC call, the attacker instructs the target's Print Spooler to load the malicious DLL as a printer driver
- The Print Spooler service, running as SYSTEM, loads and executes the malicious DLL
- The attacker gains SYSTEM-level code execution on the target machine
This attack is particularly effective against domain controllers, as compromising a DC allows attackers to access domain credentials and establish persistent access across the entire Active Directory environment. Multiple proof-of-concept exploits are publicly available, including those documented on Packet Storm Security.
Detection Methods for CVE-2021-1675
Indicators of Compromise
- Suspicious DLL files appearing in the C:\Windows\System32\spool\drivers\ directory
- Unusual outbound SMB connections (port 445) from servers, particularly domain controllers
- New or modified printer drivers installed through non-standard administrative processes
- Spoolsv.exe spawning unexpected child processes such as cmd.exe, powershell.exe, or other shells
Detection Strategies
- Monitor Windows Event Logs for Event ID 316 (Print Spooler driver installation) with non-administrative source users
- Implement behavioral detection rules for spoolsv.exe process anomalies including unusual child processes
- Deploy network detection for RPC calls to the Print Spooler service from unexpected sources
- Use EDR solutions to track DLL loading events within the Print Spooler process
Monitoring Recommendations
- Enable enhanced Print Spooler logging by configuring Group Policy for detailed operational logs
- Monitor SMB traffic patterns for connections to suspicious external shares from internal servers
- Implement file integrity monitoring on the %WINDIR%\System32\spool\drivers\ directory
- Configure alerts for any printer driver installation events on critical servers and domain controllers
How to Mitigate CVE-2021-1675
Immediate Actions Required
- Apply the latest Microsoft security patches from the Microsoft Security Advisory
- Disable the Print Spooler service on servers that do not require printing functionality, especially domain controllers
- Restrict Point and Print to approved servers only via Group Policy
- Verify that the RestrictDriverInstallationToAdministrators registry value is set to 1
Patch Information
Microsoft has released security updates to address CVE-2021-1675. Organizations should apply the latest cumulative updates for their specific Windows versions. The patches address the improper privilege validation in the RpcAddPrinterDriverEx() function and implement proper access control checks for printer driver installation.
For detailed patch information and download links, refer to the Microsoft Security Advisory for CVE-2021-1675. Additional technical details are available from the CERT Vulnerability Report.
Workarounds
- Disable the Print Spooler service entirely on systems that do not require print functionality
- Block inbound connections to the Print Spooler service using Windows Firewall rules
- Implement network segmentation to limit SMB traffic from workstations to servers
- Configure Point and Print restrictions via Group Policy to require administrator approval
# Disable Print Spooler service on systems that don't require printing
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
# Restrict driver installation to administrators only (requires KB5005010 or later)
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
New-Item -Path $regPath -Force | Out-Null
Set-ItemProperty -Path $regPath -Name "RestrictDriverInstallationToAdministrators" -Value 1 -Type DWord
# Verify the setting
Get-ItemProperty -Path $regPath -Name "RestrictDriverInstallationToAdministrators"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
