Login Sign Up

CVE-2022-21999

7.8 HIGH

📋 TL;DR

This vulnerability allows attackers to gain SYSTEM-level privileges on Windows systems by exploiting the Print Spooler service. It affects Windows servers and workstations where the Print Spooler service is running. Attackers can execute arbitrary code with elevated privileges once they have initial access to the system.

💻 Affected Systems

Products:
  • Windows Server
  • Windows Client
Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable when Print Spooler service is enabled (default on most Windows installations).

📦 What is this software?

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 1909 by Microsoft

View all CVEs affecting Windows 10 1909 →

Windows 10 20h2 by Microsoft

View all CVEs affecting Windows 10 20h2 →

Windows 10 21h1 by Microsoft

View all CVEs affecting Windows 10 21h1 →

Windows 10 21h2 by Microsoft

View all CVEs affecting Windows 10 21h2 →

Windows 11 21h2 by Microsoft

View all CVEs affecting Windows 11 21h2 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 20h2 by Microsoft

View all CVEs affecting Windows Server 20h2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.

🟠

Likely Case

Privilege escalation from a lower-privileged user account to SYSTEM, allowing attackers to bypass security controls and maintain persistence.

🟢

If Mitigated

Limited impact if Print Spooler service is disabled or proper network segmentation prevents initial access.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires initial access, internet-facing systems with exposed RPC endpoints could be targeted.
🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to escalate privileges and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires initial access to the system. CISA has added this to its Known Exploited Vulnerabilities catalog.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2022 security updates (KB5009543 for Windows 10, KB5009557 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999

Restart Required: Yes

Instructions:

1. Apply January 2022 Windows security updates from Microsoft Update. 2. Restart affected systems. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service from running

sc stop spooler
sc config spooler start= disabled

Restrict Spooler Directory Permissions

windows

Limits access to spooler directories

icacls %systemroot%\system32\spool\PRINTERS /deny "Authenticated Users":(OI)(CI)F

🧯 If You Can't Patch

  • Disable Print Spooler service on all non-print servers
  • Implement network segmentation to restrict RPC access to print servers

🔍 How to Verify

Check if Vulnerable:

Check if Print Spooler service is running and system lacks January 2022 security updates

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update shows January 2022 security updates installed and system version is patched

📡 Detection & Monitoring

Log Indicators:

  • Event ID 7036 for Print Spooler service stopping/starting
  • Suspicious RPC calls to spoolsv.exe

Network Indicators:

  • Unusual RPC traffic to port 135/445 from non-print clients

SIEM Query:

EventID=7036 AND ServiceName="Spooler" AND (State="running" OR State="stopped")

📊 Metadata

CVE ID: CVE-2022-21999
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: February 9, 2022
Last Updated: October 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21999, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)