PrintNightmare Aftermath: Windows Print Spooler is Better. What's Next?

The 2021 PrintNightmare vulnerability exposed multiple deep-rooted security flaws in Microsoft's Print Spooler service, a core Windows component. The flaws, which had persisted in the Print Spooler for years, forced Microsoft to change the default behavior of the service, and organizations to change how they enabled printing services for users. While Microsoft's changes have overall improved Print Spooler's security, researchers caution the service still remains a prime target for attackers. The potential weaknesses resulting from Microsoft's efforts to maintain backward compatibility with legacy code leaves Print Spooler vulnerable.

A Critical Security Weakness

PrintNightmare (CVE-2021-34527) gave attackers a way to gain system level privileges on affected systems which included everything from domain controllers and Active Directory systems to lower end servers and client systems. The flaw stemmed from the Windows Print Spooler service improperly handling printer driver installations and allowed attackers to run arbitrary code, download malware, create new user accounts or view, change and delete data on affected systems.

The vulnerability arose from the service's failure to properly validate permissions for installing printer drivers, combined with its capability to accept remote connections via RPC. This allowed attackers to remotely install malicious drivers and execute arbitrary code with elevated privileges, even from minimally privileged accounts. Researchers estimated that over 90% of Print Spooler environments at the time were impacted by PrintNightmare. The sheer scope of the threat prompted urgent calls from Microsoft, the US Cybersecurity and Infrastructure Security Agency (CISA) and others to apply immediate remediation measures.

"In the years following PrintNightmare, there have been exploits that have taken advantage of the remote aspect of the Print Spooler service," says Ben McCarthy, lead cyber security engineer at Immersive Labs.

There are a number of reasons why this is the case, he says, including the fact that the service is remotely accessible and allows for lateral movement. "Furthermore, when large vulnerabilities are released, like PrintNightmare, it tips off hackers around the world that there may be more vulnerabilities in that component of Windows," he says. McCarthy also points to a report by researchers from China that described the internals of how Print Spooler worked as likely contributing to the discovery of multiple vulnerabilities in the service following the disclosure of PrintNightmare.

Unprecedented Attention on Print Spooler Weaknesses

The PrintNightmare vulnerability focused near unprecedented attention on the security of Microsoft's notoriously buggy Print Spooler service.

In the weeks and months following its disclosures, security researchers—many of them from Microsoft itself—uncovered as many as 11 Print Spooler vulnerabilities in 2021 alone. The first of these post-PrintNightmare Print Spooler vulnerabilities was CVE-2021-34481, a remote code execution vulnerability that Microsoft patched on July 15, 2021. The bug was publicly disclosed before Microsoft had a fix for it, but did not end up getting exploited.

CVE-2021-34481, like PrintNightmare, stemmed from the Windows Print Spooler service improperly handling printer driver installations, allowing attackers to load malicious drivers with system-level privileges. The flaw—and PrintNightmare before it—prompted Microsoft to change the default behavior of Point and Print, a Windows feature that let users connect to network printers and automatically download and install the required printer drivers. Microsoft changed the default behavior to ensure that only users with administrative privileges could install new printers or update existing printer drivers.

The other Print Spooler related flaws discovered in 2021 were CVE-2021-34483; CVE-2021-36936; CVE-2021-36947; CVE-2021-36958; CVE-2021-36970; CVE-2021-38667; CVE-2021-38671; CVE-2021-40447; CVE-2021-1675 and CVE-2021-41332.

In total, Microsoft has disclosed some 53 Print Spooler related vulnerabilities since PrintNightmare was disclosed in 2021, says Satnam Narang, senior staff research engineer at Tenable. In addition to the 11 in 2021, Microsoft disclosed 35 of them in 2022, four in 2023 and three more in 2024. The three disclosed in 2024 are CVE-2024-21433; CVE-2024-38198; and CVE-2024-43529.

"Per the CISA Known Exploited Vulnerabilities (KEV) catalog, there were four Print Spooler vulnerabilities exploited in the wild," Narang says. All of them were from 2022:  CVE-2022-38028, CVE-2022-41073, CVE-2022-22718 and CVE-2022-21999.

Nearly half—45%—of these were disclosed by internal teams at Microsoft. "It’s likely that this proactive, offensive approach led to the mitigation of many of the pathways to exploitation because we saw a steep decline in the number of reported Print Spooler vulnerabilities since [2022]," Narang says pointing to the fact that Microsoft reported only seven Print Spooler vulnerabilities in total across 2023 and 2024.

Significantly, Microsoft has not disclosed a single remote code execution bug—usually the most severe kind—in Print Spooler service since 2021, Narang points out.  Instead, all of them have been elevation of privilege bugs—which attackers typically leverage only after they have already gained initial access to a system—or information disclosure flaws. It’s a positive development that likely is a result of all the research that has gone into finding vulnerabilities in the software since PrintNightmare, Narang says.

"From an outside looking in perspective, it appears that PrintNightmare was the catalyst for shoring up security within the Windows Print Spooler, making it increasingly difficult for attackers to exploit," Narang says.

A Persistent Threat

Even so, it's a mistake to take Print Spooler security for granted. The service remains a big target for attackers due to its complexity and integral role in the Windows operating system, says Mike Walters, president and co-founder of Action1. The service's legacy codebase and the need for backward compatibility also continue to present ongoing challenges, he notes.

The fact that the service is remotely accessible by any user is another reason Print Spooler remains a target of interest for attackers, adds Ben McCarthy, lead cyber security engineer at Immersive Labs.  Flaws in the service give attackers an opportunity for lateral movement and privilege escalation, he says.  "The Print Spooler service handles print jobs and communicates with printers, often using RPC for inter-process and network interactions, which introduces a broad attack surface," McCarthy says. "Vulnerabilities often arise from unchecked inputs, weak ACLs, and improper handling of permissions, allowing attackers to exploit these mechanisms to execute arbitrary code or gain SYSTEM-level privileges."

One notable example of the sustained and ongoing attacker interest in Print Spooler vulnerabilities is Russia-based APT28's use of  CVE-2022-38028 in a privilege escalation and credential stealing campaign that targeted North American, European and Ukrainian government organizations in April 2024. Another indication of the broad researcher interest in the service is the fact thar it was the US National Security Agency (NSA) that reported at least three Print Spooler vulnerabilities to Microsoft since PrintNightmare: CVE-2022-29104, CVE-2023-21678, and CVE-2022-38028.

For the most part, most attacks on Print Spooler bugs since PrintNightmare have simply been variations of existing and previously known attack vectors according to Walters. Many of the vulnerabilities discovered in 2021, 2022, 2023, and 2024 are privilege escalation or remote code execution flaws that exploit similar vulnerabilities [as] PrintNightmare, such as improper input validation, inadequate permission checking, and the ability to load malicious drivers, Walters points out.

 However, Microsoft's desire to maintain backward compatibility with legacy code has left the company addressing Print Spooler vulnerabilities at the protocol and function handler side. So, expect to see researchers continuing to pound away at PrintNightmare-like bugs in Print Spooler, Walters says.

Microsoft's Changes to Point and Print

Besides issuing patches and offering mitigation advice for specific Print Spooler vulnerabilities, Microsoft has taken other steps to mitigate Print Spooler risks since PrintNightmare. One of the most significant is the change the company made to the default behavior of the Point and Print function associated with Print Spooler. The feature, designed to simplify the installation of printers for end users, originally allowed a user to connect to network printers and automatically download and install the required printer drivers without needing administrative privileges. Following PrintNightmare and CVE-2021-34481, Microsoft changed the default behavior of the feature to ensure only users with administrative rights could do printer driver installation and updates. Microsoft at the time, acknowledged the change could disrupt existing practices at organizations, "However, we strongly believe that the security risk justifies this change," the company had noted.

"Microsoft introduced the "RestrictDriverInstallationToAdministrators" registry key and the corresponding Group Policy setting. When enabled, it enforces that only administrators can install printer drivers through Point and Print," Walters notes.  Microsoft also disabled inbound remote printing by default on certain systems and strengthened the requirement for printer drivers to be digitally signed by a trusted certificate authority and some others, he notes.

In addition, new Group Policy settings that Microsoft introduced after PrintNightmare, allow administrators to enforce strict controls over the print spooler service including limiting which servers can deliver print jobs or drivers, he says, "Disabling certain features by default, such as inbound remote printing, helps minimize the attack surface for systems that do not need such functionality."

PrintNightmare presented a challenge for Microsoft because fixing it required architectural changes that impacted many organizations around the world.  "The biggest change that affected many sysadmins was the change to the way users can connect to remote printers," McCarthy notes. "This necessary change means that any further exploits found in this particular part of the Print Spooler service will require the attacker to be the administrator first," he says.

Mitigation Measures

Print Spooler is part of Windows OS and is enabled by default on many systems including on systems where it is generally not required, such as domain controllers. It typically runs as a privileged service meaning it has system-level privileges making it a high value target for attackers. Organizations can disable Print Spooler if they don't require any printing services—a situation that is somewhat rare in a business setting

A few mitigation measures are available for organizations struggling to completely disable Print Spooler services due to business requirements. Walters lists the following as the most effective among them:

He also recommends that security administration restrict network access, segment networks with print servers, and enable secure RPC over SMB for the print spooler. Consider also disabling legacy protocols and features such as SMBv1 and enforce strong authentication mechanisms, Walters note.

"It’s clear that disabling Print Spooler services is not feasible in its entirety," Narang from Tenable says.  "But ensuring that security updates are being applied, which often include changes like the ones noted in the July 2021 out-of-band release for PrintNightmare, is the best way to safeguard against these attacks."