CVE-2021-34527
CVE-2021-34527 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-21181
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p> <p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p> <ul> <li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li> <li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li> <li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li> </ul> <p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p> <p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p> <p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>
CVE-2021-34527 (PrintNightmare): Windows Print Spooler Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2021-34527 |
| Severity (CVSS v3.1) | 8.8 HIGH |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.99759 (99.96th percentile) |
| Known Exploited | Yes (CISA KEV, since 2021-11-03) |
| Patched | July 6 / July 7, 2021 |
Summary
A remote code execution vulnerability exists in the Windows Print Spooler service. An attacker who successfully exploited this flaw could run arbitrary code with SYSTEM privileges, enabling full system compromise.
Background
The Windows Print Spooler is a long-running system service that manages print jobs and printer interactions. Due to its deep integration with the operating system, it historically runs with elevated privileges. CVE-2021-34527 — widely known as PrintNightmare — was disclosed in July 2021 alongside CVE-2021-1675. It represents a distinct remote code execution path in the Print Spooler that allows authenticated users to achieve SYSTEM-level access.
Root Cause
The vulnerability stems from improperly performed privileged file operations within the Print Spooler service. While the exact CWE identifier was not assigned in the source record, the underlying issue is a failure to properly validate and restrict file-system paths during driver installation and point-and-print operations. This allows an attacker to direct the privileged spooler process to load arbitrary code, resulting in privilege escalation and remote code execution.
Impact
The CVSS v3.1 score of 8.8 (HIGH) reflects the severity:
- Attack Vector (AV): Network — exploitable remotely.
- Attack Complexity (AC): Low — no special conditions required.
- Privileges Required (PR): Low — standard user credentials suffice.
- User Interaction (UI): None — fully automated exploitation possible.
- Scope (S): Unchanged — attacker operates within the compromised host.
- Confidentiality, Integrity, Availability (C/I/A): All rated HIGH — total system compromise.
With an EPSS score of 0.99759, this vulnerability is among the most likely to be exploited in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog confirms active, real-world exploitation.
Exploitation Walkthrough
Ethics Note: The following is a defensive overview for understanding attack mechanics. No weaponized exploit code is provided. Security practitioners should use this knowledge to improve detection and hardening only.
PrintNightmare exploitation typically follows these conceptual stages:
- Initial Access: The attacker gains authenticated access to the target system or network (e.g., via compromised credentials or an internal foothold).
- Driver Manipulation: The attacker leverages the Windows Point-and-Print protocol or direct RPC calls to the Print Spooler to trigger a driver installation.
- Path Hijacking: The attacker supplies a malicious DLL path, causing the privileged Print Spooler service to load and execute attacker-controlled code.
- SYSTEM Privileges: Because the spooler runs as SYSTEM, the malicious code inherits those privileges, granting the attacker full control over the host.
Defensive focus should be on monitoring for abnormal driver installations, unexpected spooler child processes, and suspicious DLL loads within the spoolsv.exe process.
Affected and Patched Versions
Microsoft confirmed the vulnerability affects a broad range of Windows operating systems, including:
- Windows 7 SP1
- Windows 8.1 / Windows RT 8.1
- Windows 10 (versions 1507, 1607, 1809, 20H2, 21H2, 22H2)
- Windows 11 (versions 21H2, 22H2)
- Windows Server 2008 SP2 / 2008 R2 SP1
- Windows Server 2012 / 2012 R2
- Windows Server 2016, 2019, 2022
- Windows Server 20H2
Security updates addressing this vulnerability were released on July 6, 2021 for most supported platforms, with additional updates for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607 released on July 7, 2021.
Remediation
-
Apply Microsoft Security Updates: Install the July 2021 cumulative updates for all affected Windows systems. Refer to the Microsoft Security Advisory for specific KB numbers per platform.
-
Restrict Printer Driver Installation: After patching, apply the guidance in KB5005010 to restrict installation of new printer drivers to administrators only.
-
Verify Registry Settings: Ensure the following registry values under
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrintare set to0or are undefined (the default secure state):NoWarningNoElevationOnInstallUpdatePromptSettings
Warning: Setting
NoWarningNoElevationOnInstallto1intentionally disables the elevation prompt and leaves the system vulnerable by design. -
Disable Print Spooler (if not required): On systems where printing is unnecessary, consider disabling the Print Spooler service entirely as a compensating control.
Detection
- Process Monitoring: Alert on
spoolsv.exespawning unexpected child processes (e.g., PowerShell, cmd.exe, or werfault.exe under unusual conditions). - DLL Load Events: Monitor for
spoolsv.exeloading DLLs from non-standard paths (user-writable directories, remote shares). - Registry Auditing: Track changes to
PointAndPrintregistry keys. - Network Signatures: Monitor for abnormal RPC traffic to the Print Spooler service from unexpected sources.
Assessment
PrintNightmare is a textbook example of how legacy, highly-privileged system services can become critical attack vectors. Its combination of network accessibility, low privilege requirements, and immediate SYSTEM compromise makes it a prime target for both ransomware operators and advanced persistent threat (APT) groups.
Key lessons:
- High EPSS + KEV = Urgent Patching Priority: An EPSS of 0.99759 and active KEV status should trigger emergency patch cycles, not routine maintenance windows.
- Compensating Controls Matter: For environments where immediate patching is impossible, disabling the Print Spooler or enforcing driver installation restrictions via Group Policy can buy critical time.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527
- https://www.kb.cert.org/vuls/id/383432
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-34527
- https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7
- https://www.vicarius.io/vsociety/posts/cve-2021-34527-printnightmare-detection-script
- https://www.vicarius.io/vsociety/posts/cve-2021-34527-printnightmare-mitigation-script
Frequently asked questions
- What is CVE-2021-34527?
- <p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p> <p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p> <ul> <li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li> <li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li> <li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li> </ul> <p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p> <p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p> <p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>
- How severe is CVE-2021-34527?
- CVE-2021-34527 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-34527 being actively exploited?
- Yes. CVE-2021-34527 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-34527?
- CVE-2021-34527 primarily affects Microsoft Windows 10 1507. In total, 19 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-34527?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-34527 have an EU (EUVD) identifier?
- Yes. CVE-2021-34527 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-21181. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-34527 published?
- CVE-2021-34527 was published on 2021-07-02 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527
- https://www.kb.cert.org/vuls/id/383432
- https://www.vicarius.io/vsociety/posts/cve-2021-34527-printnightmare-detection-script
- https://www.vicarius.io/vsociety/posts/cve-2021-34527-printnightmare-mitigation-script
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-34527
Affected products (19)
- cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…