CVE-2022-21997

7.1 HIGH

📋 TL;DR

This vulnerability allows attackers to elevate privileges on Windows systems by exploiting the Print Spooler service. Attackers could gain SYSTEM-level access on affected Windows versions. This affects Windows systems with Print Spooler enabled, which is common in enterprise environments.

💻 Affected Systems

Products:

Windows Print Spooler

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Print Spooler service enabled (default on most Windows installations)

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install persistent backdoors, and access sensitive system resources.

🟢

If Mitigated

Limited impact if Print Spooler is disabled or proper network segmentation prevents lateral movement.

🌐 Internet-Facing: LOW (Print Spooler typically not exposed to internet, requires local access or network foothold)

🏢 Internal Only: HIGH (Common in enterprise networks, Print Spooler often enabled by default)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access or ability to execute code on target system. Multiple Print Spooler vulnerabilities have been actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2022 security updates (KB5009543 for Windows 10, KB5009557 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21997

Restart Required: Yes

Instructions:

1. Apply January 2022 Windows security updates via Windows Update. 2. For enterprise: Deploy patches through WSUS or SCCM. 3. Verify installation with 'wmic qfe list' showing relevant KB.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service entirely, preventing exploitation but disabling printing functionality

sc stop spooler
sc config spooler start= disabled

Restrict Spooler Directory Permissions

windows

Modify permissions on spool directory to prevent unauthorized access

icacls C:\Windows\System32\spool\PRINTERS /deny Everyone:(OI)(CI)(DE,DC)

🧯 If You Can't Patch

Disable Print Spooler service on non-print servers
Implement network segmentation to isolate print servers and restrict access

🔍 How to Verify

Check if Vulnerable:

Check if Print Spooler is running and system lacks January 2022 patches: 'sc query spooler' and 'systeminfo | findstr KB5009543'

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify patch installation: 'wmic qfe list | findstr KB5009543' (or relevant KB for your OS version)

📡 Detection & Monitoring

Log Indicators:

Event ID 7036 (service state changes) for spooler
Unexpected Print Spooler service restarts
Security logs showing privilege escalation attempts

Network Indicators:

Unexpected RPC calls to Print Spooler service (port 135, 445)
SMB traffic to print shares from unauthorized systems

SIEM Query:

EventID=7036 AND ServiceName="Spooler" AND (State="running" OR State="stopped") | stats count by _time, Computer, State

📊 Metadata

CVE ID: CVE-2022-21997

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-59

Published: February 9, 2022

Last Updated: November 21, 2024

🔗 References