IRONSMITHINTEL
CRITICALCVSS8.8
|
Actively Exploited
|CVE-2021-34527|Auth: low (domain user for remote, none for local)|Reboot: required|Est. 30–60 minutes including reboot|Manual only

Print Spooler Service Allows Unauthenticated RCE and Local Privilege Escalation

The Windows Print Spooler service, running on virtually every Windows Server, can be exploited to install malicious drivers with SYSTEM privileges — remotely from the network or locally from any user account.

Published May 7, 2026 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker with any domain user credentials can connect to the Print Spooler RPC endpoint and install a malicious DLL as a printer driver, achieving SYSTEM-level code execution. On Domain Controllers this means full domain compromise. Local exploitation requires no credentials at all — any local user or service account can escalate to SYSTEM.

How the attack worksNo clicks needed

The Windows Print Spooler service handles print jobs and printer driver installation. A flaw in the AddPrinterDriverEx() RPC function allows authenticated domain users to install printer drivers with SYSTEM privileges. The service runs as SYSTEM on all Windows versions by default. On Domain Controllers, the Print Spooler is frequently running, making it an especially dangerous attack surface.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

Domain Controllers
All Windows Servers with Print Spooler running
Print servers
Running All Windows Server versions before July 2021 patch

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inKB5004945 (2019), KB5004946 (2016)
Real-world incidentsWhat we've seen

A proof-of-concept was accidentally published to GitHub before Microsoft issued a patch, leading to immediate widespread exploitation. Ransomware operators used PrintNightmare as a privilege escalation path from standard domain user accounts to Domain Admin within minutes. Many organisations disabled the Print Spooler on Domain Controllers as an emergency measure before the patch was available.

How to patch

Manual remediation steps

30–60 minutes including reboot

Step 1 — Check Print Spooler Status

Get-Service -Name Spooler | Select-Object Name, Status, StartType

Step 2 — Apply Security Update

1
Install the July 2021 cumulative update (KB5004945 for Server 2019, KB5004946 for Server 2016)
2
Reboot the server

Step 3 — Disable Print Spooler on Servers That Don't Print

# If this server is not a print server, disable the service permanently
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

# Verify
Get-Service -Name Spooler | Select-Object Name, Status, StartType

Step 4 — If Print Spooler Must Stay Running

# Restrict driver installation via Group Policy or registry
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -Name NoWarningNoElevationOnInstall -Value 0 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -Name UpdatePromptSettings -Value 0 -Type DWord -Force

Verification

# Confirm patch is installed
Get-HotFix -Id KB5004945, KB5004946
# If Print Spooler was disabled:
Get-Service -Name Spooler
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-34527MSRC AdvisoryNVD