Exploit for Critical Windows Flaw Is Out but a Fixing Patch Isn’t

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

A PoC (proof of concept) exploit for CVE-2021-1675 has been spotted in the wild, which means that hackers are already engaging in targeting the critical RCE (remote code execution) flaw. The unfortunate case here is that the particular flaw was disclosed and patched by Microsoft in the June 2021 Patch Tuesday pack, but as it seems, the remediation isn’t working as expected. What this means is that applying the latest Windows security patches won’t help you stay safe against this threat.

What you need to do is to disable the Print Spooler service entirely, which is where the vulnerability exists. To do this, you’ll need to use the following commands:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled 

Of course, this will disable printing on the machine, so it’s neither a suitable nor a long-term solution to the problem. However, it shouldn’t take Microsoft too long to release a fixing patch now, so this solution should keep you safe for a few days.

According to reports that come from multiple white-hat research teams, there are currently no indications of the exploit being used by malicious actors, but this is only a matter of time. The PoC exploit was leaked by mistake a few days ago by a security firm that was planning to release the details during BlackHat USA in July. Unfortunately, the code remained published for several hours before it was eventually taken down, but hackers took the opportunity immediately and copied it.

https://twitter.com/edwardzpeng/status/1409810304091889669

CVE-2021-1675 has a CVSS score of 7.8, and it could enable a threat actor to perform remote code execution (via SSH or through a laced document), lateral movement, privilege escalation, and full system takeover. The problem is that the Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

The flaw impacts several Windows versions, including 7, 8, 10, and all Server editions between 2004 and 2019, and the temporary solution in all cases is to stop and disable the Print Spooler service. Domain controllers have the Print Spooler service active by default, so addressing this troublesome exploit will be challenging to say the least.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: