BCY-ADV-2026-003
CRITICAL — CVSS 8.8
PrintNightmare — Print Spooler Remote Code Execution
CVE-2021-34527 · SYSTEM Privileges · Active Exploitation Confirmed
CVE-2021-34527Print SpoolerRCELPEKEV ListedSYSTEMWindows
Prepared by Warren Barr · Barr Cyber LLC · barr-cyber.com · May 2026
What This Is
PrintNightmare is a critical vulnerability in the Windows Print Spooler service that allows both remote code execution (RCE) and local privilege escalation (LPE). The RCE variant (CVE-2021-34527) allows an authenticated attacker anywhere on the network to execute code as SYSTEM. The LPE variant (CVE-2021-1675) allows a local standard user to escalate to SYSTEM. Both variants have been actively exploited in the wild and are listed on the CISA KEV catalog.
The Print Spooler service runs as SYSTEM and is enabled by default on all Windows installations including domain controllers. This makes PrintNightmare particularly dangerous in Active Directory environments — a single compromised account can escalate to domain admin via a domain controller running a vulnerable Spooler.
PrintNightmare on a domain controller is a full domain compromise vector. An authenticated attacker with any valid domain account can become Domain Admin.
CVE Details
CVE-2021-34527 — Print Spooler RCE — CVSS 8.8 HIGH
CVE-2021-1675 — Print Spooler LPE — CVSS 7.8 HIGH (see BCY-ADV-2026-004)
CVE-2021-36958 — Follow-on zero-day — CVSS 7.3 HIGH
CISA KEV: Yes — all three confirmed exploited
Patch: KB5004945 and subsequent cumulative updates
Affected: All Windows versions with Print Spooler enabled
How It Works
The Print Spooler service exposes the RpcAddPrinterDriverEx() function over the network. This function is intended to allow remote printer driver installation. Due to improper access control validation, any authenticated user — including low-privilege domain accounts — can call this function remotely and load a malicious DLL as SYSTEM.
The attacker hosts a malicious DLL on an SMB share, then calls RpcAddPrinterDriverEx() pointing to that share. Windows Print Spooler loads the DLL with SYSTEM privileges. The attacker now has a SYSTEM shell on the target machine — which on a domain controller means Domain Admin.
Detection
Check if Print Spooler is running (PowerShell):
Get-Service -Name Spooler | Select-Object Name, Status, StartType
Check if the PointAndPrint restriction is applied (primary mitigation if Spooler must run):
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" `
-Name RestrictDriverInstallationToAdministrators -ErrorAction SilentlyContinue
Expected safe result:
RestrictDriverInstallationToAdministrators : 1
Check Windows Event Log for exploitation indicators:
# Event ID 316 in Microsoft-Windows-PrintService/Admin
# Indicates driver installation — look for unexpected drivers
Get-WinEvent -LogName "Microsoft-Windows-PrintService/Admin" -ErrorAction SilentlyContinue |
Where-Object {$_.Id -eq 316} |
Select-Object TimeCreated, Message |
Format-List
IOCs
Service Print Spooler (spoolsv.exe)
Attack Vector RpcAddPrinterDriverEx() — authenticated network call
Payload Type Malicious DLL loaded by SYSTEM process
Event ID 316 (PrintService/Admin) — unexpected driver installation
Event ID 808 (PrintService/Operational) — Spooler errors during exploit
Network Inbound RPC to port 135 + dynamic RPC ports from attacker
Process spoolsv.exe spawning unexpected child processes
Registry HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\
Windows x64\Drivers\ (check for unexpected entries)
Mitigation — PowerShell Commands
Option A is the complete mitigation. Option B is a partial mitigation for systems where printing is required. Patch currency is critical for Option B to remain effective.
Sources & References
BCY-ADV-2026-003 · Published May 2026 · Barr Cyber LLC · Kalispell, MT
Barr Cyber — Endpoint Hardening & System Configuration
Print Spooler hardening is documented in every Barr Cyber endpoint engagement. If printing is required, the PointAndPrint restriction is the correct control — Barr Cyber applies and verifies it.
Get in Touch →