Microsoft confirms “PrintNightmare” code execution vulnerability

Microsoft has just confirmed the exploit known as “PrintNightmare” that was recently discovered by the Cybersecurity & Infrastructure Security Agency.

This exploit affects the Windows print spooler and has been marked as critical since it can lead to remote code execution. The Windows Print Spooler is a component responsible for the printing process on Windows devices. An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges which will allow the attacker to view, change or delete data, install programs and create new accounts with administrative rights.

According to Microsoft, PrintNightmare zero-day is already being exploited!

Microsoft 365 Defender customers can also refer to the threat analytics report we published on this vulnerability. The report provides tech details, guidance for mitigating the impact of this threat, and advanced hunting queries, which are published here: https://t.co/tBunCJgn6W

— Microsoft Threat Intelligence (@MsftSecIntel) July 2, 2021

Microsoft is still investigating this vulnerability and offers a workaround in order to stay protected from exploitation of this vulnerability. The system admins should use group policy management or manually disable Print Spoolers on Domain Controllers which are not being used for printing.

Print spooler service can also be disabled with the following PowerShell commands:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Another option is to Disable inbound remote printing using Group Policy by navigating to the following GPO path:
Computer Configuration | Administrative Templates | Printers

and disable the following policy:

Allow Print Spooler to accept client connections

This policy blocks the remote attack vector by preventing inbound remote printing operations.