Login Sign Up

CVE-2021-34483

7.8 HIGH

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code with SYSTEM privileges on Windows systems by exploiting the Print Spooler service. It affects Windows servers and workstations where the Print Spooler service is enabled. Attackers can gain complete control of affected systems.

💻 Affected Systems

Products:
  • Windows 10
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows 8.1
Versions: Multiple Windows versions - see Microsoft advisory for specific affected builds
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Print Spooler service to be running. Many Windows systems have this enabled by default, especially servers acting as print servers.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistence.

🟠

Likely Case

Privilege escalation from authenticated user to SYSTEM, allowing attackers to bypass security controls and maintain persistence.

🟢

If Mitigated

Limited impact if Print Spooler is disabled or proper network segmentation prevents access to vulnerable systems.

🌐 Internet-Facing: MEDIUM - While Print Spooler typically isn't internet-facing, misconfigurations or VPN access could expose it.
🏢 Internal Only: HIGH - Most exploitation would occur from within the network by authenticated users or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authenticated access. Multiple proof-of-concept exploits have been published since disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2021 security updates - KB5004237 for Windows 10 21H1, KB5004238 for Windows 10 20H2, etc.

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34483

Restart Required: Yes

Instructions:

1. Apply July 2021 Windows security updates from Windows Update. 2. For enterprise: Deploy via WSUS, SCCM, or Intune. 3. Restart affected systems after patching.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service from running

sc stop spooler
sc config spooler start= disabled

Restrict Spooler Directory Permissions

windows

Limits access to Print Spooler directories

icacls %systemroot%\system32\spool\printers /deny "Authenticated Users:(OI)(CI)(DE,DC)"
icacls %systemroot%\system32\spool\drivers /deny "Authenticated Users:(OI)(CI)(DE,DC)"

🧯 If You Can't Patch

  • Disable Print Spooler service on non-print servers
  • Implement network segmentation to isolate print servers from critical systems

🔍 How to Verify

Check if Vulnerable:

Check if Print Spooler service is running and system has not been patched with July 2021 updates

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify July 2021 security updates are installed via 'systeminfo' or 'Get-Hotfix'

📡 Detection & Monitoring

Log Indicators:

  • Event ID 7036 for Print Spooler service stops/starts
  • Unexpected Print Spooler service restarts
  • Suspicious process creation from spoolsv.exe

Network Indicators:

  • Unexpected RPC connections to Print Spooler service (port 135, 445, 139)

SIEM Query:

source="windows" event_id=7036 AND service_name="Spooler" AND (state="stopped" OR state="started")

📊 Metadata

CVE ID: CVE-2021-34483
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: August 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34483, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)