Login Sign Up

CVE-2021-36958

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code with SYSTEM privileges by exploiting improper file operations in the Windows Print Spooler service. It affects Windows systems with the Print Spooler service enabled, which is common in enterprise environments. Successful exploitation gives attackers complete control over affected systems.

💻 Affected Systems

Products:
  • Microsoft Windows
Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Print Spooler service is enabled by default on most Windows installations. Domain controllers are particularly vulnerable due to their role in print management.

📦 What is this software?

Windows by Microsoft

View all CVEs affecting Windows →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing installation of malware, data theft, ransomware deployment, and creation of persistent backdoors across the network.

🟠

Likely Case

Lateral movement within enterprise networks, credential harvesting, and deployment of ransomware or other malware payloads.

🟢

If Mitigated

Limited impact if Print Spooler is disabled or network segmentation prevents lateral movement, though initial compromise could still occur.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple proof-of-concept exploits are publicly available. The vulnerability has been actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2021 security updates (KB5005033 for Windows 10, KB5005031 for Windows Server 2019, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36958

Restart Required: Yes

Instructions:

1. Apply the August 2021 Windows security updates from Microsoft Update. 2. Restart affected systems. 3. Verify the patch is installed via Windows Update history or system information.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service from running, preventing exploitation but disabling printing functionality.

sc config spooler start= disabled
sc stop spooler

Restrict Spooler Directory Permissions

windows

Modifies permissions on the spool directory to prevent unauthorized access.

icacls %systemroot%\system32\spool\printers /grant "SYSTEM:(OI)(CI)F" /grant "Administrators:(OI)(CI)F" /remove "Authenticated Users" /remove "Users"

🧯 If You Can't Patch

  • Disable the Print Spooler service on all non-essential systems, especially domain controllers.
  • Implement network segmentation to isolate print servers and restrict RPC/SMB traffic to necessary systems only.

🔍 How to Verify

Check if Vulnerable:

Check if Print Spooler service is running and system has not received August 2021 security updates.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5005033 (or equivalent for your OS version) is installed via 'wmic qfe list' or Windows Update history.

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4624 with SYSTEM account from unusual sources
  • Spooler service errors (Event ID 10, 11)
  • Unusual process creation from spoolsv.exe

Network Indicators:

  • Unusual RPC traffic to port 135/445 from unexpected sources
  • SMB connections to print spooler shares

SIEM Query:

source="windows" (event_id=4624 AND user="SYSTEM" AND source_network_address!=local) OR (process_name="spoolsv.exe" AND parent_process!="services.exe")

📊 Metadata

CVE ID: CVE-2021-36958
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: August 12, 2021
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON