Login Sign Up

CVE-2024-21325

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution through Microsoft's Printer Metadata Troubleshooter Tool. An attacker could exploit this to run arbitrary code with SYSTEM privileges on affected Windows systems. All Windows systems with the vulnerable tool are potentially affected.

💻 Affected Systems

Products:
  • Microsoft Windows
Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Printer Metadata Troubleshooter Tool to be present and accessible.

📦 What is this software?

Printer Metadata Troubleshooter Tool by Microsoft

View all CVEs affecting Printer Metadata Troubleshooter Tool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Lateral movement within networks, credential harvesting, and installation of malware payloads.

🟢

If Mitigated

Limited impact due to network segmentation, least privilege, and proper patch management.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific conditions and user interaction or network access to the vulnerable service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: February 2024 security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21325

Restart Required: Yes

Instructions:

1. Apply the February 2024 Windows security updates. 2. Restart the system. 3. Verify the update is installed via Windows Update history.

🔧 Temporary Workarounds

Disable Printer Troubleshooter Service

windows

Disables the vulnerable Printer Metadata Troubleshooter Tool service.

sc config "PrintWorkflowUserSvc" start= disabled
sc stop "PrintWorkflowUserSvc"

Block Network Access to Print Spooler

windows

Restricts network access to the Print Spooler service to prevent remote exploitation.

netsh advfirewall firewall add rule name="Block Print Spooler" dir=in action=block protocol=TCP localport=135,445,9100

🧯 If You Can't Patch

  • Implement network segmentation to isolate systems with the vulnerable tool.
  • Apply strict firewall rules to block unnecessary inbound connections to affected systems.

🔍 How to Verify

Check if Vulnerable:

Check if the February 2024 security update is NOT installed via Windows Update history or systeminfo command.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify the February 2024 security update is installed and the system has been restarted.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from PrintWorkflowUserSvc or related print services
  • Failed authentication attempts to print services

Network Indicators:

  • Unexpected network connections to port 135, 445, or 9100 from external sources
  • Anomalous SMB or RPC traffic patterns

SIEM Query:

EventID=4688 AND (NewProcessName="*PrintWorkflow*" OR ParentProcessName="*spoolsv*")

📊 Metadata

CVE ID: CVE-2024-21325
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-426
Published: January 9, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21325, you might also want to check these:

CVE-2023-30330 9.8

SoftExpert Excellence Suite 2.x versions before 2.1.3 contain a Local File Inclusion vulnerability i...

Same vulnerability type (CWE-426)
CVE-2025-26155 9.8

This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers t...

Same vulnerability type (CWE-426)
CVE-2022-26184 9.8

CVE-2022-26184 is an untrusted search path vulnerability in Poetry package manager versions 1.1.9 an...

Same vulnerability type (CWE-426)