0-day exploit widely circulating for the Printnightmare vulnerability

[Alex Keller <axkeller () STANFORD EDU>]

Details are still emerging but 0-day exploit code is widely circulating for the Printnightmare vulnerability. Exploit 
requires authentication using a standard domain user account and allows for remote code execution as SYSTEM (root) on 
most recent versions of Windows OS (e.g. Win10, 2012R2, 2016, 2019) where the Print Spooler service is running, which 
by default includes Domain Controllers:
 
https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/
https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/
https://twitter.com/hackerfantastic/status/1410100394492112898
 
Microsoft has NOT released a patch yet (June patch for CVE-2021-1675 does NOT prevent exploitation).
 
Strong recommendation is to disable the Print Spooler service on critical Windows hosts, prioritizing Domain 
Controllers and other servers. Unfortunately this may not be an option for print servers and endpoints that need to 
print.
 
Best,
Alex


Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu
(650)736-6421

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community