CVE-2021-34481
📋 TL;DR
This CVE describes a remote code execution vulnerability in the Windows Print Spooler service that allows attackers to execute arbitrary code with SYSTEM privileges. It affects Windows systems with the Print Spooler service enabled. Successful exploitation gives attackers complete control over affected systems.
💻 Affected Systems
- Windows Print Spooler
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 7 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing installation of malware, data theft, ransomware deployment, and creation of persistent backdoors.
Likely Case
Lateral movement within networks, credential harvesting, and deployment of ransomware or other malware payloads.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though SYSTEM compromise remains severe.
🎯 Exploit Status
Exploits have been publicly available and used in real attacks. The vulnerability is wormable in certain configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: August 2021 security updates (specific KB varies by Windows version)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34481
Restart Required: Yes
Instructions:
1. Apply August 2021 Windows security updates from Microsoft Update. 2. Restart affected systems. 3. Verify Print Spooler service is running with updated binaries.
🔧 Temporary Workarounds
Disable Print Spooler Service
windowsStops the vulnerable service entirely, preventing exploitation but disabling printing functionality
sc stop spooler
sc config spooler start= disabled
Disable inbound remote printing
windowsPrevents remote connections to the Print Spooler service
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers' -Name 'RegisterSpoolerRemoteRpcEndPoint' -Value 2 -Type DWord
🧯 If You Can't Patch
- Disable Print Spooler service on non-essential systems
- Implement network segmentation to isolate print servers and restrict SMB/RPC traffic
🔍 How to Verify
Check if Vulnerable:
Check if Print Spooler service is running and if August 2021 security updates are not installedCheck Version:
wmic qfe list | findstr KB5005033 KB5005030 KB5005031Verify Fix Applied:
Verify August 2021 security updates are installed and Print Spooler service version shows updated binaries📡 Detection & Monitoring
Log Indicators:
- Event ID 4624 with SYSTEM account from unusual sources
- Print Spooler service crashes or unexpected restarts
- Suspicious DLL loads in spoolsv.exe process
Network Indicators:
- Unusual RPC/SMB traffic to port 445/135 from unexpected sources
- Spoolss named pipe connections from unauthorized systems
SIEM Query:
source="WinEventLog:Security" EventID=4624 AND TargetUserName="SYSTEM" | stats count by SourceAddress