CVE-2023-24925
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems using Microsoft PostScript and PCL6 Class Printer Drivers. Attackers can exploit this by sending specially crafted print jobs to vulnerable systems. Organizations using affected Windows versions with these printer drivers are at risk.
💻 Affected Systems
- Microsoft PostScript Printer Driver
- Microsoft PCL6 Class Printer Driver
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM privileges, enabling lateral movement, data theft, and persistent access to the network.
Likely Case
Privilege escalation leading to installation of malware, ransomware deployment, or credential harvesting from the compromised system.
If Mitigated
Limited impact with proper network segmentation and print server isolation preventing lateral movement beyond the initial system.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires network access to print services.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in May 2023
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24925
Restart Required: Yes
Instructions:
1. Apply May 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable affected printer drivers
windowsRemove or disable Microsoft PostScript and PCL6 Class Printer Drivers from systems
Remove-PrinterDriver -Name "Microsoft PostScript Printer Driver"
Remove-PrinterDriver -Name "Microsoft PCL6 Class Printer Driver"
Restrict print spooler network access
windowsBlock inbound connections to print spooler service (port 445, 139, 9100)
New-NetFirewallRule -DisplayName "Block Print Spooler" -Direction Inbound -Protocol TCP -LocalPort 445,139,9100 -Action Block
🧯 If You Can't Patch
- Isolate print servers and restrict network access to print services
- Implement network segmentation to limit lateral movement from compromised systems
🔍 How to Verify
Check if Vulnerable:
Check if affected printer drivers are installed: Get-PrinterDriver | Where-Object {$_.Name -like "*PostScript*" -or $_.Name -like "*PCL6*"}Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history for May 2023 security updates and check driver versions📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 307 (Print job completion) with suspicious source IPs
- Spooler service crashes (Event ID 7031, 7034)
- Unusual print job submissions from network sources
Network Indicators:
- Unexpected connections to print spooler ports (445, 139, 9100) from external sources
- Large or malformed print job network traffic
SIEM Query:
source="WinEventLog:Security" EventID=307 | where source_ip NOT IN (internal_ip_range)