CVE-2021-1675

CVE-2021-1675 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).

Key facts

Description

Windows Print Spooler Remote Code Execution Vulnerability

CVE-2021-1675: Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2021-1675
CVSS v2 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS v3 7.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
EPSS 0.86132 (99.7th percentile)
KEV Yes — added 2021-11-03
EU Exploited Yes — since 2021-11-03 (EUVD-2021-7142)
CWE Not assigned in source data

Summary

CVE-2021-1675 is a remote code execution vulnerability in the Windows Print Spooler service. An attacker can exploit flaws in how the spooler handles privileged file operations to load malicious DLLs and execute arbitrary code with SYSTEM-level privileges. The underlying mechanics of this flaw were subsequently leveraged in the widely publicised PrintNightmare exploit chain (CVE-2021-34527), making this a foundational bug in one of the most consequential Windows privilege-escalation episodes of 2021.

Background

The Windows Print Spooler is a long-running service responsible for managing print jobs and printer drivers. Because printing historically required administrative-level file and driver installations, the spooler runs with SYSTEM privileges by default on every Windows workstation and server. This makes it a high-value target: any vulnerability that allows an attacker to influence spooler behaviour can potentially translate directly into full system compromise without user credentials.

Root Cause

The root cause relates to improper handling of privileged file operations within the Print Spooler service. Specifically, the service exposes functionality that allows a remote client to specify driver and DLL paths without adequate path validation or access-control checks. This enables an attacker to point the spooler at an attacker-controlled DLL, which the service then loads and executes in its own highly privileged process context.

A specific CWE identifier is not assigned in the source data for this record, but the weakness class aligns closely with Improper Privilege Management (CWE-269) and Improper Limitation of a Pathname to a Restricted Directory (CWE-22), where a trusted process is tricked into loading code from an untrusted location.

Impact

  • CVSS v2: 9.3 — Network exploitable, medium attack complexity, no authentication required, complete loss of confidentiality, integrity, and availability.
  • CVSS v3: 7.8 HIGH — Requires local attack vector (or user-interaction/priming in the network scenario per the advisory context), low attack complexity, no privileges required, but user interaction is required; impact on CIA is high.

Successful exploitation grants the attacker SYSTEM-level code execution, permitting full host takeover, lateral movement, credential theft, and persistent access. Because the Print Spooler is enabled by default on nearly all Windows systems, the attack surface is extremely broad.

Exploitation Walkthrough

Ethics & Legal Notice: The following is a defensive, generic description for understanding and detection purposes only. Do not use this information to attack systems you do not own or have explicit written authorisation to test.

  1. Reconnaissance: The attacker identifies a target Windows host with the Print Spooler service running and reachable over the network (commonly via SMB/RPC on ports 445/135).
  2. DLL Preparation: The attacker crafts or stages a malicious DLL payload and hosts it on a network share or local path they control.
  3. Triggering the Spooler: Using the printer-installation RPC interface, the attacker sends a request that causes the Print Spooler to copy and load the attacker-supplied DLL into the privileged spooler process.
  4. Privilege Escalation / RCE: The DLL is executed with SYSTEM privileges, giving the attacker full control of the host.

The original disclosure in June 2021 revealed that this could be achieved by an unauthenticated attacker in certain configurations, which triggered an urgent patch cycle and led to the broader PrintNightmare research.

Affected and Patched Versions

The following Windows versions are listed as vulnerable in the source data:

  • Windows 10 (1507, 1607, 1809, 1909, 2004, 20H2, 21H1)
  • Windows 7 SP1
  • Windows 8.1 / Windows RT 8.1
  • Windows Server 2008 SP2 / R2 SP1
  • Windows Server 2012 / 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Microsoft released patches via the June 2021 security update cycle. Administrators should consult the Microsoft Security Response Center advisory for the specific KB article applicable to each OS version. Systems that have reached end-of-life (e.g., Windows 7 without ESU) may not have received patches.

Remediation

  1. Apply Security Updates: Install the Microsoft security update corresponding to CVE-2021-1675 for your Windows version as soon as possible.
  2. Disable Print Spooler (if printing is not required): On systems where printing is unnecessary, disable and stop the Print Spooler service:
    Stop-Service -Name Spooler -Force
    Set-Service -Name Spooler -StartupType Disabled
    
  3. Isolate Print Servers: Restrict network access to print servers using host-based firewalls and network segmentation. Do not expose SMB/RPC to untrusted networks.
  4. Enable RPC Filters / Compensating Controls: Where patches cannot be applied immediately, consider implementing RPC filters or disabling inbound remote printing via Group Policy.
  5. Validate Driver Installation: Enforce Point and Print restrictions to prevent non-administrators from installing printer drivers.

Detection

  • Windows Event Logs: Monitor for Event ID 808 (Print Spooler errors) and unusual driver-installation events.
  • File System: Alert on unexpected DLL writes to %SYSTEMROOT%\System32\spool\drivers or driver-loading from remote shares.
  • Network: Monitor for abnormal SMB/RPC traffic to the Print Spooler service from unexpected source IPs.
  • EDR/XDR: Look for spooler process (spoolsv.exe) making unusual network connections, loading DLLs from user-writable paths, or spawning child processes.

Assessment

With an EPSS score of 0.86132 (86.1% probability of exploitation in the wild within 30 days) and inclusion in both the CISA KEV catalog and the EUVD register, CVE-2021-1675 represents a critical, actively exploited threat. The high EPSS percentile (99.7%) places it in the top tier of observed vulnerabilities.

Key lessons:

  1. Legacy services running with SYSTEM privileges remain a systemic risk. The Print Spooler has been a recurring source of high-severity vulnerabilities because it bridges user-level operations with privileged driver installation.
  2. Rapid patching alone is insufficient for end-of-life systems. Organisations still running Windows 7 or Server 2008 without extended support should prioritise upgrade or isolation.

References

Frequently asked questions

What is CVE-2021-1675?
Windows Print Spooler Remote Code Execution Vulnerability
How severe is CVE-2021-1675?
CVE-2021-1675 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-1675 being actively exploited?
Yes. CVE-2021-1675 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-1675?
CVE-2021-1675 primarily affects Microsoft Windows 10 1507. In total, 17 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-1675?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-1675 have an EU (EUVD) identifier?
Yes. CVE-2021-1675 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-7142. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-1675 published?
CVE-2021-1675 was published on 2021-06-08 and last updated on 2026-06-17.

References

Affected products (17)

More vulnerabilities in Microsoft Windows 10 1507

All CVEs affecting Microsoft Windows 10 1507 →