There are several different proof-of-concept exploits for a vulnerability in the Windows print spooler service circulating publicly right now, some of which are able to exploit the bug even if the patch Microsoft released earlier this month is applied.
The vulnerability (CVE-2021-1675) affects most versions of Windows and Windows Server, and although Microsoft initially classified it as a low-severity local privilege escalation bug, it revised that assessment last week to clarify that it can be used for remote code execution and upgraded it to a critical rating. The print spooler service runs by default on Windows Domain Controllers and is often enabled on other servers and desktops, as well. However, the attacker would need to have authenticated access to the print spooler service in order to get remote code execution.
A research team posted PoC exploit code for the vulnerability to GitHub on Tuesday, and although the repository was removed soon after, it was up long enough to allow other people clone it and fork it.
“Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain,” Claire Tills of Tenable said in a post.
“Windows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets.”
Microsoft released a fix for the vulnerability on June 8, but the patch did not completely resolve the issue. MIcrosoft has not made any public statement about the patch issue or whether it plans to release an updated fix. Researchers recommend disabling the print spooler service in the meantime to mitigate the vulnerability.