CVE-2023-24886
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems using vulnerable Microsoft PostScript and PCL6 Class Printer Drivers. Attackers can exploit this by sending specially crafted print jobs to vulnerable systems. Organizations using affected Windows versions with these printer drivers are at risk.
💻 Affected Systems
- Microsoft PostScript Printer Driver
- Microsoft PCL6 Class Printer Driver
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM privileges, enabling data theft, ransomware deployment, and persistent backdoor installation.
Likely Case
Privilege escalation leading to lateral movement within networks, credential harvesting, and deployment of additional malware payloads.
If Mitigated
Limited impact with proper network segmentation, print server isolation, and restricted printer driver permissions preventing successful exploitation.
🎯 Exploit Status
Exploitation requires sending malicious print jobs to vulnerable systems. No public exploit code is available as of current knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in March 2023
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24886
Restart Required: Yes
Instructions:
1. Apply March 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable vulnerable printer drivers
windowsRemove or disable Microsoft PostScript and PCL6 Class Printer Drivers from systems
Remove-PrinterDriver -Name "Microsoft PostScript Printer Driver"
Remove-PrinterDriver -Name "Microsoft PCL6 Class Printer Driver"
Restrict print spooler access
windowsConfigure firewall rules to restrict access to print spooler service (port 445, 139, 9100)
New-NetFirewallRule -DisplayName "Block Print Spooler" -Direction Inbound -Protocol TCP -LocalPort 445,139,9100 -Action Block
🧯 If You Can't Patch
- Network segmentation: Isolate print servers and restrict communication to authorized systems only
- Implement strict access controls: Limit who can send print jobs and monitor print spooler activity
🔍 How to Verify
Check if Vulnerable:
Check if Microsoft PostScript or PCL6 Class Printer Drivers are installed via Print Management console or PowerShell: Get-PrinterDriver | Select NameCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify March 2023 security updates are installed: Get-HotFix | Where-Object {$_.InstalledOn -like "*03/2023*"}📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 307 in PrintService logs
- Unexpected print job submissions from unauthorized sources
- Spooler service crashes (Event ID 7031)
Network Indicators:
- Unusual SMB traffic to print servers
- Unexpected connections to port 9100 (raw printing)
- Malformed print job packets
SIEM Query:
source="WinEventLog:Security" EventID=4625 AND ProcessName="spoolsv.exe" OR source="WinEventLog:System" EventID=7031 AND ServiceName="Spooler"