CVE-2021-34527: Microsoft Windows Print Spooler Remote Code Execution

Microsoft Windows Print Spooler Remote Code Execution Vulnerability. Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation allows an attacker to perform remote code execution with SYSTEM privileges. The vulnerability is also known under the moniker of PrintNightmare.

• CISA KEV-listed (remediation due 2022-05-03)
• used in ransomware campaigns
• EPSS 94.2% (99.9% percentile)

Detection rules

• Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection critical
• Windows Spooler Service Suspicious Binary Load informational
• PrinterNightmare Mimikatz Driver Name critical
• CVE-2021-1675 Print Spooler Exploitation IPC Access critical
• Possible PrintNightmare Print Driver Install - CVE-2021-1675 medium
• Remote Printing Abuse for Lateral Movement high

Related briefings

• CISA, FBI, and NSA Joint Advisory: Conti Ransomware Surpasses 1,000 Attacks with TrickBot, Cobalt Strike, and Double Extortion 2026-02-16

Browse the CVE database

Read the full analysis on IntelFusions