CVE-2021-34527 Explained: PrintNightmare and RCE via Windows Print Spooler
A Windows Print Spooler vulnerability enabling authenticated attackers to execute code as SYSTEM remotely, and any local standard user to escalate to SYSTEM. Every Windows system was affected — including all domain controllers.
Founder & Cybersecurity Evangelist
CVE-2021-34527, nicknamed PrintNightmare, is a critical remote code execution and local privilege escalation vulnerability in the Windows Print Spooler service. It stems from how Print Spooler handles printer driver installation — the RpcAddPrinterDriverEx() function allows any authenticated user to load an arbitrary DLL with SYSTEM privileges by disguising it as a printer driver.
The vulnerability became a zero-day on June 29, 2021 when a Chinese security research team (Sangfor) accidentally published a proof-of-concept exploit on GitHub, believing Microsoft had already patched it. Microsoft had patched a related but different vulnerability (CVE-2021-1675). The PoC was deleted within an hour but had been forked dozens of times.
Microsoft released an emergency out-of-band patch on July 1, 2021 — two days after the PoC went public. Exploitation was already occurring in the wild by then.
How PrintNightmare Works
The Windows Print Spooler service (spoolsv.exe) runs as SYSTEM and manages print jobs and printer driver installation. The RpcAddPrinterDriverEx() function, exposed via RPC, allows administrators to install printer drivers remotely. Print Spooler does not adequately validate the driver package being installed.
Any authenticated user — including domain users with no special privileges — can call RpcAddPrinterDriverEx() with a path to a malicious DLL. The Print Spooler service loads this DLL as if it were a legitimate printer driver, executing it with SYSTEM privileges.
For RCE: attacker authenticates over SMB using any valid domain credentials, then calls RpcAddPrinterDriverEx() with a UNC path to a malicious DLL on an attacker-controlled SMB share. Print Spooler reaches out and loads the DLL as SYSTEM. For LPE: attacker with local access simply points the driver path to a local malicious DLL and escalates from standard user to SYSTEM instantly.
Obtain Any Valid Credentials
For RCE: any domain user credentials suffice. For LPE: attacker already has local shell as a standard user. No administrator privileges required in either case.
Stage Malicious DLL
Attacker creates a malicious DLL containing shellcode or a reverse shell. For RCE, hosts the DLL on an attacker-controlled SMB share accessible from the target network.
Call RpcAddPrinterDriverEx()
Attacker calls the Print Spooler RPC interface to 'install a driver,' providing the path to the malicious DLL as the driver package location.
SYSTEM Executes Malicious DLL
The Print Spooler service (running as SYSTEM) loads and executes the malicious DLL — attacker achieves the highest privilege level on the target system.
Patch and Mitigation Guidance
The definitive fix is applying Microsoft's July 2021 cumulative updates. Even after patching, these hardening steps permanently reduce the Print Spooler attack surface and should be applied across all environments.
Apply July 2021 cumulative updates
Install KB5004945 (Windows 10) or the equivalent cumulative update for your Windows version. This patches the RpcAddPrinterDriverEx() flaw specifically.
Disable Print Spooler on all domain controllers
Domain controllers never need Print Spooler. Disable it on every DC: Stop-Service -Name Spooler; Set-Service -Name Spooler -StartupType Disabled — eliminates the most catastrophic exploitation path.
Disable Print Spooler on all non-printing servers
Any server that does not directly serve printing should have Print Spooler disabled. This includes all application servers, database servers, and management systems.
Enable Point and Print Restrictions via GPO
Configure GPO: Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions. Set to 'Show warning and elevation prompt' to prevent silent driver installation.
The bottom line
PrintNightmare proved that a single ubiquitous Windows service running with maximum privileges can become a domain-wide compromise vector overnight. If Print Spooler is disabled on your domain controllers and patched on everything else, you are protected. If not, you have a SYSTEM-level RCE waiting to be used against your most critical infrastructure. Disabling Print Spooler on domain controllers should be a non-negotiable baseline.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.