CVE-2023-35325
📋 TL;DR
This vulnerability in Windows Print Spooler allows attackers to read sensitive information from memory without authentication. It affects Windows systems with Print Spooler enabled, potentially exposing credentials, tokens, or other confidential data.
💻 Affected Systems
- Windows Print Spooler
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract domain credentials, authentication tokens, or other sensitive data from memory, leading to lateral movement, privilege escalation, or complete system compromise.
Likely Case
Information disclosure of system memory contents, potentially revealing credentials, tokens, or other sensitive data that could be used in follow-on attacks.
If Mitigated
Limited information exposure with proper network segmentation and Print Spooler restrictions, preventing credential harvesting.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates (KB5028185 for Windows 10, KB5028182 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35325
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates from Windows Update or Microsoft Update Catalog. 2. Restart the system to complete installation.
🔧 Temporary Workarounds
Disable Print Spooler Service
windowsStops the vulnerable service entirely, preventing exploitation but disabling printing functionality
sc stop spooler
sc config spooler start= disabled
Restrict Print Spooler via Group Policy
windowsConfigure Print Spooler to only run on designated print servers
🧯 If You Can't Patch
- Implement network segmentation to isolate systems with Print Spooler from untrusted networks
- Apply the Point and Print Restrictions Group Policy to limit printer driver installation
🔍 How to Verify
Check if Vulnerable:
Check if Print Spooler service is running and system has not applied July 2023 security updatesCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2023 security updates are installed via 'winver' or 'systeminfo' command📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 failed logons to Print Spooler
- Unusual Print Spooler service restarts
- Suspicious RPC calls to spoolsv.exe
Network Indicators:
- Unusual RPC traffic to port 135/445 targeting Print Spooler
- SMB connections to spoolss named pipe
SIEM Query:
source="windows" AND (event_id=4625 AND process_name="spoolsv.exe") OR (event_id=7036 AND service_name="Spooler" AND NOT user="SYSTEM")