CVE-2022-29132
📋 TL;DR
This vulnerability allows attackers to gain SYSTEM-level privileges on Windows systems by exploiting the Print Spooler service. It affects Windows servers and workstations where the Print Spooler service is running. Attackers can execute arbitrary code with elevated privileges if they can run code on the target system.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 11 by Microsoft
Windows 11 by Microsoft
Windows 7 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
Windows Server by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement across the network, and data exfiltration.
Likely Case
Local privilege escalation from a lower-privileged user account to SYSTEM, allowing attackers to bypass security controls and maintain persistence on compromised systems.
If Mitigated
Limited impact if Print Spooler service is disabled on non-essential systems and proper network segmentation is in place.
🎯 Exploit Status
Exploitation requires local access or ability to execute code on the target system. The vulnerability is in the Print Spooler service which runs with SYSTEM privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 10, 2022 security updates (KB5013942 for Windows 10 21H2, KB5013943 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29132
Restart Required: Yes
Instructions:
1. Apply May 2022 Windows security updates from Microsoft Update. 2. Restart the system to complete installation. 3. Verify the update is installed via Windows Update history or system information.
🔧 Temporary Workarounds
Disable Print Spooler Service
windowsStops the vulnerable service from running, preventing exploitation. This will disable printing functionality.
sc stop spooler
sc config spooler start= disabled
Restrict Spooler Directory Permissions
windowsModify permissions on the spool directory to prevent unauthorized access.
icacls C:\Windows\System32\spool\PRINTERS /deny Everyone:(OI)(CI)(DE,DC)
🧯 If You Can't Patch
- Disable Print Spooler service on all non-essential systems, especially servers that don't require printing functionality.
- Implement network segmentation to isolate systems with Print Spooler enabled and restrict lateral movement capabilities.
🔍 How to Verify
Check if Vulnerable:
Check if Print Spooler service is running and system hasn't received May 2022 security updates: 'sc query spooler' and 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version"'Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2022 security updates are installed: 'wmic qfe list | findstr "KB501394"' or check Windows Update history for KB5013942/KB5013943.📡 Detection & Monitoring
Log Indicators:
- Event ID 7036 (Service state changes for spooler)
- Unexpected Print Spooler service restarts
- Suspicious process creation from spoolsv.exe
Network Indicators:
- Unexpected RPC calls to Print Spooler service (port 135, 445)
- SMB traffic to spooler named pipes
SIEM Query:
EventID=7036 AND ServiceName="spooler" | where ServiceState="running" OR ServiceState="stopped"