PrintNightmare (CVE-2021-34527).

PrintNightmare (CVE-2021-34527) is a flaw in the Windows Print Spooler service (spoolsv.exe) that failed to properly restrict access to the RpcAddPrinterDriverEx() RPC call. By pointing the spooler at a malicious printer driver DLL hosted on a remote SMB/UNC share, any authenticated domain user could have the SYSTEM-level spooler load and execute that DLL — yielding both local privilege escalation and, against a remote spooler, full remote code execution. Because the Print Spooler runs by default on domain controllers, the impact on Active Directory environments was severe.

The disclosure was chaotic: it shares the same RpcAddPrinterDriverEx code path as CVE-2021-1675, an "important" LPE patched in June 2021. When researchers published proof-of-concept code in late June 2021 — believing it targeted the already-patched CVE-2021-1675 — they had in fact triggered a distinct, unpatched RCE, which Microsoft re-assigned as CVE-2021-34527. Crucially, the patch did not stop exploitation where Point and Print was configured with NoWarningNoElevationOnInstall = 1.

Microsoft issued out-of-band updates in July 2021 and registry hardening guidance. Defences: apply every PrintNightmare-related patch, disable the Print Spooler on servers that do not print (especially domain controllers), restrict Point and Print driver installation to administrators, and block outbound SMB to untrusted hosts.

flowchart TD
  A[Low-privileged domain user] --> B[RPC call to spoolsv.exe<br/>RpcAddPrinterDriverEx]
  B --> C[Spooler fetches driver DLL<br/>from attacker SMB/UNC share]
  C --> D{Point and Print<br/>restrictions?}
  D -->|Unrestricted| E[Spooler loads DLL as SYSTEM]
  D -->|Admins only| F[Install blocked]
  E --> G[Code execution as SYSTEM]
  G --> H[Local privilege escalation]
  G --> I[Remote code execution on<br/>domain controller]