IRONSMITHINTEL
CRITICALCVSS8.8
|
Actively Exploited
|CISA KEV|CVE-2021-34527|Auth: low — domain user sufficient|Reboot: required|Est. 30 minutes including reboot|Manual only

KB5004946: Windows Server 2019 / 2022 Out-of-band Security Update (July 2021)

Any authenticated domain user can remotely execute code as SYSTEM on any Windows Server with the Print Spooler running. Apply KB5004946 immediately — this was weaponised by ransomware groups within days of disclosure.

Published Jul 6, 2021 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Any authenticated domain account — including low-privileged service accounts or compromised user accounts — can exploit this to gain SYSTEM-level code execution on any Windows Server running the Print Spooler, including Domain Controllers. An attacker who owns one account can own every server in the domain.

How the attack worksNo clicks needed

The Windows Print Spooler service runs by default on all Windows Servers. A flaw in how it handles certain print driver installation operations allows an authenticated user to load a malicious DLL with SYSTEM privileges. No local access is required — the attack works over the network from any domain-joined machine.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Servers with Print Spooler enabled
Domain Controllers
File servers
RDS servers
Running Windows Server 2019 / 2022 prior to KB5004946

Affected OS versions

Windows Server 2019Windows Server 2022
Fixed inKB5004946
Real-world incidentsWhat we've seen

Ransomware groups including Magniber and Vice Society weaponised PrintNightmare within days of public PoC release. In one documented incident, attackers moved from a single phishing compromise to full domain takeover in under 4 hours using PrintNightmare to escalate privileges on each server they reached. Microsoft released KB5004946 as an emergency out-of-band patch on July 6, 2021.

How to patch

Superseded by a newer cumulative

KB5004946 has been rolled forward into KB5040442 (July 2024). Installing the latest cumulative closes this CVE — you don't need to deploy the original patch.

↗ KB5040442 on Microsoft Update Catalog

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5004946

Manual remediation steps

30 minutes including reboot

Check if KB5004946 is Installed

Get-HotFix -Id KB5004946
# No output = patch not installed

Immediate Mitigation (if patching is delayed)

# Stop and disable the Print Spooler service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Get-Service Spooler  # Confirm: Status=Stopped

Apply the Patch

1
Download KB5004946 from https://catalog.update.microsoft.com
2
Run the MSU installer as Administrator
3
Restart the server

Re-enable Print Spooler (only if needed after patching)

Set-Service -Name Spooler -StartupType Automatic
Start-Service -Name Spooler

Verify

Get-HotFix -Id KB5004946
# InstalledOn date must appear
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-34527MSRC AdvisoryNVDKBKB5004946
CVEs in this update1 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5004946CVE-2021-34527Windows Print Spooler Service (spoolsv.exe)8.8NVD ↗