CVE REFERENCE | HIGH SEVERITY
Active ThreatUpdated 8 min read

CVE-2021-34527 Explained: PrintNightmare and RCE via Windows Print Spooler

A Windows Print Spooler vulnerability enabling authenticated attackers to execute code as SYSTEM remotely, and any local standard user to escalate to SYSTEM. Every Windows system was affected, including all domain controllers.

Sources:Microsoft Security Response Center|CISA Advisory AA21-229A|Sangfor Research Team|NIST NVD
8.8
CVSS Score
SYSTEM
Privilege level achieved
ALL
Windows versions affected
2021
0-day exploitation began June 29

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2021-34527, nicknamed PrintNightmare, is a critical remote code execution and local privilege escalation vulnerability in the Windows Print Spooler service. It stems from how Print Spooler handles printer driver installation, the RpcAddPrinterDriverEx() function allows any authenticated user to load an arbitrary DLL with SYSTEM privileges by disguising it as a printer driver.

The vulnerability became a zero-day on June 29, 2021 when a Chinese security research team (Sangfor) accidentally published a proof-of-concept exploit on GitHub, believing Microsoft had already patched it. Microsoft had patched a related but different vulnerability (CVE-2021-1675). The PoC was deleted within an hour but had been forked dozens of times.

Microsoft released an emergency out-of-band patch on July 1, 2021, two days after the PoC went public. Exploitation was already occurring in the wild by then.

How PrintNightmare Works

The Windows Print Spooler service (spoolsv.exe) runs as SYSTEM and manages print jobs and printer driver installation. The RpcAddPrinterDriverEx() function, exposed via RPC, allows administrators to install printer drivers remotely. Print Spooler does not adequately validate the driver package being installed.

Any authenticated user, including domain users with no special privileges, can call RpcAddPrinterDriverEx() with a path to a malicious DLL. The Print Spooler service loads this DLL as if it were a legitimate printer driver, executing it with SYSTEM privileges.

For RCE: attacker authenticates over SMB using any valid domain credentials, then calls RpcAddPrinterDriverEx() with a UNC path to a malicious DLL on an attacker-controlled SMB share. Print Spooler reaches out and loads the DLL as SYSTEM. For LPE: attacker with local access simply points the driver path to a local malicious DLL and escalates from standard user to SYSTEM instantly.

1

Obtain Any Valid Credentials

For RCE: any domain user credentials suffice. For LPE: attacker already has local shell as a standard user. No administrator privileges required in either case.

2

Stage Malicious DLL

Attacker creates a malicious DLL containing shellcode or a reverse shell. For RCE, hosts the DLL on an attacker-controlled SMB share accessible from the target network.

3

Call RpcAddPrinterDriverEx()

Attacker calls the Print Spooler RPC interface to 'install a driver,' providing the path to the malicious DLL as the driver package location.

4

SYSTEM Executes Malicious DLL

The Print Spooler service (running as SYSTEM) loads and executes the malicious DLL, attacker achieves the highest privilege level on the target system.

Patch and Mitigation Guidance

The definitive fix is applying Microsoft's July 2021 cumulative updates. Even after patching, these hardening steps permanently reduce the Print Spooler attack surface and should be applied across all environments.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The bottom line

PrintNightmare proved that a single ubiquitous Windows service running with maximum privileges can become a domain-wide compromise vector overnight. If Print Spooler is disabled on your domain controllers and patched on everything else, you are protected. If not, you have a SYSTEM-level RCE waiting to be used against your most critical infrastructure. Disabling Print Spooler on domain controllers should be a non-negotiable baseline.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is PrintNightmare (CVE-2021-34527)?

PrintNightmare is a critical Windows Print Spooler vulnerability with two attack paths: remote code execution for authenticated network attackers and local privilege escalation for any standard user on the machine. Both achieve SYSTEM-level code execution. A proof-of-concept was accidentally published publicly on June 29, 2021, causing immediate mass exploitation before Microsoft's emergency patch.

How do I mitigate PrintNightmare?

Apply Microsoft's July 2021 out-of-band patch. As an immediate workaround, disable the Print Spooler service on systems that don't require printing (especially domain controllers): Stop-Service -Name Spooler -Force; Set-Service -Name Spooler -StartupType Disabled. Never run Print Spooler on domain controllers.

Are domain controllers vulnerable to PrintNightmare?

Yes. Domain controllers running Windows Print Spooler were vulnerable to both the remote and local privilege escalation variants. Microsoft and CISA both advised disabling Print Spooler on all domain controllers as an immediate mitigation, since DCs rarely need print functionality.

What is the difference between the remote RCE and local privilege escalation variants of PrintNightmare?

PrintNightmare has two exploitation paths with different prerequisites. Remote code execution (RCE) requires only an authenticated domain user account with no special permissions: the attacker calls RpcAddPrinterDriverEx() over the network from an attacker-controlled SMB share, causing Print Spooler on the target to load a malicious DLL as SYSTEM. Local privilege escalation (LPE) requires a local shell at any privilege level: the attacker runs exploit code locally pointing Print Spooler at a local malicious DLL. Both achieve SYSTEM-level code execution. The RCE variant is more dangerous because it works across the network with only domain user credentials.

How do I check if Print Spooler is running on my domain controllers?

Run this PowerShell on each DC or remotely: Get-Service -ComputerName DC01 -Name Spooler | Select-Object Status, StartType. Status should be Stopped and StartType should be Disabled. For bulk domain-wide checking: Get-ADDomainController -Filter * | ForEach-Object { $dc = $_.Name; $svc = Get-Service -ComputerName $dc -Name Spooler; [PSCustomObject]@{DC=$dc; Status=$svc.Status; StartType=$svc.StartType} }. CISA and Microsoft recommend Print Spooler be permanently disabled on all domain controllers since DCs have no legitimate use case for printing.

Does Point and Print Restrictions Group Policy prevent PrintNightmare exploitation?

Pre-patch Point and Print restriction GPO settings were insufficient to prevent PrintNightmare exploitation. Microsoft's July 2021 patch changed Print Spooler behavior so driver installation from non-admin shares requires elevation, and the August 2021 update KB5005010 further tightened Point and Print restrictions. After all patches are applied, driver installation from unapproved sources requires administrator approval. However, the most effective defense for domain controllers is disabling Print Spooler entirely, which eliminates the attack surface regardless of driver policy configuration.

Sources & references

  1. Microsoft Security Response Center
  2. CISA Advisory AA21-229A
  3. Sangfor Research Team
  4. NIST NVD

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.