Windows 'PrintNightmare' vulnerability being actively exploited, according to Microsoft [Updated]

Surface Laptop 3 13.5
Surface Laptop 3 13.5 (Image credit: Daniel Rubino/Windows Central)

What you need to know

  • A vulnerability dubbed "PrintNightmare" allows attackers to "install programs; view, change, or delete data; or create new accounts with full user rights," according to Microsoft.
  • Researchers appear to have accidentally shared the vulnerability publicly.
  • Attackers can utilize the vulnerability to target the Windows Print Spooler service.

Update July 7, 2021 at 6:15 pm ET: As of July 7, the PrintNightmare issue has not been fixed, and Microsoft's latest patch has proved ineffective. Our full update on the situation can be found in our most recent article discussing the PrintNightmare vulnerability.

The Windows Print Spooler service has an unpatched critical flaw that's been dubbed "PrintNightmare." Microsoft warns people about the vulnerability and breaks down how it works in a recent post (opens in new tab):

"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations," says the company. "An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

According to Microsoft, the vulnerability is being actively exploited.

The vulnerability appears to have been accidently published in the form of a proof-of-concept exploit. Sangfor researchers published the proof-of-concept but have since deleted it. Unfortunately, the code was forked on GitHub before it was removed.

As explained by The Verge, the researchers at Sangfor appeared to have thought the vulnerability had been patched by Microsoft. The company had patched issues related to Windows Print Spooler, but they were not for this specific issue.

Microsoft lists two options as workarounds for the issue:

  1. Disable the Print Spooler service
  2. Disable inbound remote printing through Group Policy

While publicly known as PrintNightmare, Microsoft has assigned the name CVE-2021-34527 to the vulnerability.

Microsoft is still investigating the severity of this vulnerability. The company is also investigating if all versions of Windows are exploitable.

"The code that contains the vulnerability is in all versions of Windows," says Microsoft. "We are still investigating whether all versions are exploitable. We will update this CVE when that information is evident."

We have a complete guide on how to mitigate Print Spooler PrintNightmare vulnerability on Windows 10 if you need to deal with the issue.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

1 Comment
  • Microsoft has recently updated their CVE-2021-34527 page, which mentions new out-of-band security updates released Tuesday July 6 for several different versions of Windows. "UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system."