IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Instructions on how to exploit Windows Print Spooler accidentally leaked after research blunder

Security firm releases a PoC exploit for a bug it thought Microsoft had already patched

Cyber criminals are abusing a severe Windows vulnerability just days after a security company inadvertently published a proof-of-concept (PoC) exploitation for this previously undisclosed flaw.

The vulnerability, nicknamed PrintNightmare, concerns the Print Spooler component in all Windows devices. It’s being tracked as CVE-2021-34527, and lets attackers install programmes, view, change or delete data, or create new accounts with full privileges on targeted devices.

Microsoft had initially fixed a flaw in the Print Spooler component on 8 June as part of its Patch Tuesday round of updates. At the time this was deemed a privilege escalation flaw and was tracked as CVE-2021-1675.

The firm then upgraded the severity of the bug from just privilege escalation to remote code execution on 21 June.

At the same time, researchers with the security firm Sangfor had been conducting their own research into Print Spooler vulnerabilities, which they were preparing to discuss at the forthcoming Black Hat cyber security conference in August.

Seeing that Microsoft had upgraded the bug's severity, the researchers assumed that it was the same flaw they had been working with and decided to publish the proof of concept for the exploit ahead of the conference, safe in the knowledge that it had been patched.

This remote code execution exploit, however, was for an entirely different Print Spooler weakness that hadn’t been previously disclosed by Microsoft, and used a different attack vector.

Once this was established, the researchers quickly took down their work, but not before the exploit code was downloaded and republished elsewhere.

Microsoft has since warned businesses that hackers have seized upon this blunder and are targeting businesses with the flaw now known as CVE-2021-34527. Since it’s an evolving situation, Microsoft hasn’t yet attached a threat severity score to the bug.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft wrote in a security advisory.

“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges."

Until a patch becomes available, Microsoft has recommended that businesses either disable the Print Spooler service or disable inbound remote printing through their group policy.

The first mitigation would disable the ability to print locally or remotely, while the second workaround blocks the remote attack vector by preventing inbound remote printing operations. Local printing, however, will still be possible.

Featured Resources

Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy

Free Download

Datto SMB cyber security for MSPs report

A world of opportunity for MSPs

Free Download

The essential guide to preventing ransomware attacks

Vital tips and guidelines to protect your business using ZTNA and SSE

Free Download

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

Free Download

Most Popular

Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
What the UK can learn from the rest of the world when it comes to the shift to IP

What the UK can learn from the rest of the world when it comes to the shift to IP

20 Mar 2023
Why the floppy disk may never die
Server & storage

Why the floppy disk may never die

27 Mar 2023