Windows 10 PrintNightmare isn't over after all, and ransomware attackers are taking note

Surface Pro X
Surface Pro X (Image credit: Daniel Rubino/Windows Central)

What you need to know

  • Another Windows 10 PrintNightmare vulnerability has been discovered.
  • The vulnerability can be exploited despite Microsoft's patches and changes to the printer driver installation process.
  • Ransomware attackers are using PrintNightmare vulnerabilities to target Windows servers.

Another zero-day Windows print spooler vulnerability has been discovered (via Bleeping Computer). This is yet another bug that falls under the class known as PrintNightmare. Like other vulnerabilities in its class, attackers can exploit this vulnerability to run code with SYSTEM privileges.

Microsoft released patches that address PrintNightmare vulnerabilities in July and August 2021. The company also changed the process for installing new printer drivers to require admin privileges. Despite these changes, researchers have found ways to attack PCs utilizing a Print Spooler vulnerability.

Microsoft explains the issue, which is labeled CVE-2021-36958 (opens in new tab):

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.The workaround for this vulnerability is stopping and disabling the Print Spooler service.

Despite the fact that users now need admin privileges to install printer drivers, admin privileges are not required to connect to a printer if a driver is already installed. Additionally, drivers on clients don't need to be installed, so the vulnerability is left open to attack in cases when someone connects to a remote printer.

Bleeping Computer also reports that PrintNightmare exploits are being used by ransomware attackers. A ransomware group called Magniber has been discovered attempting to exploit PrintNightmare vulnerabilities, according to a report from Crowdstrike.

Crowdstrike's director of threat research and reporting warns that this could only be the start of attackers exploiting these vulnerabilities, "CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors."

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at (opens in new tab).

  • The "best" part, yet again, is the workaround: don't do a basic task that is essential for millions of PCs and servers. Classic MS.
  • Hopefully this should lead to a complete overhaul of the print spool. I don't think it's ever been updated for aeons.
  • TechFreak1, this was my thought too. While it's a terrible shame this is happening, part of me is glad with the hope that MS will redo the decades-old print spooler. Hopefully that doesn't break most legacy print drivers, because I bet a lot of those will never be updated again and, right or wrong, we do still expect printers (and monitors) to be supported forever.
  • @GraniteStateColin They can still have a compatibility layer for old printers. The problem we have is that print spool is embedded within core system files when it never needed to be lol. It really should have been overhauled during longhorn / vista imo.
  • Rewrite the whole OS. Get rid of the massive bloat and windows 95 code still inhabiting the OS.
  • @Ikeland Well, that was supposed to be 10X / Windows Core Os....
  • A work around is a work around, you don't have to like it. This issue is obviously being worked on even if it's persistent. I don't get the judgment of "classic MS."
  • workaround
    a method for overcoming a problem or limitation in a program or system. Maybe you don't know what "workaround" means. By yours and MS's definition, turning off the computer is a viable workaround, too, correct? And this is one of many times over the years that I've been managing systems that MS has said the same thing for a problem. Heck, it's the 2nd time for print spooler vulnerabilities in less than a month!
  • Yes that definition still fits. The workaround is to prevent the problem of the exploit from being used, which disabling the print spooler would accomplish that. It's a workaround - not THE solution - the solution is them actually fixing it so people don't have to do that especially if they need to print. I'm not saying people should be happy with not being able to print. If you said the problem is that you need to print, then yes disabling the print spooler would not be helpful.
  • Haha, good try, I still don't think you understand. What you described is "mitigation". Would you like me to post the definition for it, too? A workaround allows for the continuance of functionality which is clearly not the case. And please don't split hairs and say if it's not a print server, then it is a workaround.
  • Tomorrow they will release a workaround that says turn off your computer. No need to worry about vulnerabilities then. Mac and other OS are not facing this issue, so it's Microsofts job to fix it rather than giving stupid workarounds which stop normal day to day tasks.
  • Dude didn't you JUST say yesterday that it was fixed for good???
  • I wondered at the time if they would come to regret that statement. A little surprised it only took 1 day. :-)
  • Well, it certainly seemed like it. That articles is updated now and we'll follow the saga.
  • For a few days now the trusty old Cannon printer in my basement that I use for wireless scanning from time to time has bricked. When I return to my laptop upstairs the scanning app always shows an error that says restart computer. I am wondering if this is due to some Windows 10 PrintNightmare patch? I have read online that this has caused systems to brick?
  • The mitigations or work arounds does not change the firmware of printer themselves. There is one odd behaviour I have noticed, the Canon print and scan softwere mysteriously get uninstalled by the O/S. This has happened on my desktop PCs and every laptop I've installed the software on (as I needed to install the drivers - but over time the driver cache has been updated so I no longer need to use the cannon software to install the drivers) Are you getting the B200 Error? I was using a Canon Pixma MG5350 myself and that's what I've been getting. You can bypass most errors by forcing the printer to do a self test on start up by opening up cover to the ink tray after you turn the printer on. Press on button and lift up cover ink tray, it should run a self diagnostic and boot. That's worked upto this point but now I can no longer print (I can still scan - using NAPS2) so I'm going to try and clean the print head see how that goes. Anywho, once I've repaired the MG5350 I'm giving it away for free as I've bought a TS9550 printer as I need the adf and A3 prints for process maps.
  • "CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors." Threat Actors? What is this? Politically correct crap? These are CRIMINALS. Like "undocumented aliens" are really ILLEGAL aliens. Stop sugar coating this stuff. If I go into a bank and demand money by pointing a gun at people, did I just make an "undocumented withdrawal"? These "actors" need to be tracked down and given a nice Bin Laden cocktail. Four shots and a splash of water. Not given a Bad Review for their "performance".