CVE-2021-1675 in Windowsinfo

Summary

by MITRE • 06/09/2021

Windows Print Spooler Elevation of Privilege Vulnerability

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/13/2026

This vulnerability resides within the Windows Print Spooler service which operates as a critical system component responsible for managing print jobs and printer drivers. The flaw manifests as an elevation of privilege vulnerability that allows attackers to execute arbitrary code with SYSTEM level privileges, effectively compromising the entire Windows system. The vulnerability stems from improper validation of printer driver installation processes within the spooler service, creating a path for malicious actors to escalate their privileges through crafted driver installations or modifications to existing print configurations.

The technical exploitation occurs when an unauthenticated attacker submits specially crafted print job data or driver files that trigger a code execution path within the spooler service. This vulnerability specifically affects Windows 10, Windows 11, and Windows Server versions where the Print Spooler service remains enabled and accessible. The flaw enables attackers to install malicious printer drivers that execute code with elevated privileges, bypassing standard user access controls and security boundaries. This represents a classic privilege escalation vector that aligns with CWE-264, which covers permissions, privileges, and access controls, and falls under the ATT&CK technique T1068 for local privilege escalation.

The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with persistent access to target systems. Once exploited, attackers can establish backdoors, install additional malware, exfiltrate sensitive data, or use the compromised system as a launch point for lateral movement within networks. The vulnerability's exploitability is particularly concerning because it does not require authentication and can be triggered remotely through the print spooler service. This characteristic makes it a prime target for automated exploitation campaigns and zero-day attacks, as demonstrated by various threat actors who have leveraged similar vulnerabilities for ransomware deployments and persistent threat operations.

Mitigation strategies should focus on immediate service disablement and network segmentation to prevent exploitation. Organizations should disable the Print Spooler service entirely if not required, as this eliminates the attack surface entirely. When the service must remain active, administrators should implement strict access controls using Group Policy settings to limit who can install printer drivers or modify print configurations. Network-level protections including firewall rules that block access to the print spooler ports and services can prevent remote exploitation attempts. Additionally, implementing application whitelisting policies and monitoring for unusual print job activities can help detect potential exploitation attempts. Regular system updates and patches should be applied immediately when available, as Microsoft has released patches addressing this specific vulnerability. Security monitoring should include detection of suspicious driver installations and unusual privilege escalation events, with particular attention to processes running with SYSTEM privileges that originate from print spooler contexts. The vulnerability demonstrates the critical importance of securing system services that operate with elevated privileges and highlights the need for comprehensive security controls beyond traditional perimeter defenses.

Responsible

Microsoft

Reservation

12/02/2020

Disclosure

06/09/2021

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.86132

KEV

yes

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!