CISA report: hackers exploit the Windows Print Spooler vulnerability

The security flaw in Windows Print Spooler that was patched in February is actively exploited in the wild

Windows Print SPooler actively exploited in the wild at the moment, regardless the patch in February

U.S Cybersecurity and Infrastructure Security Agency warn users about the active exploits using the previously reported and even patched vulnerability. The report states that the hacker groups have used the flaw in attacks more recently.^[1] The agency also released a new security flaw list with this local privilege escalation bug in the Windows Print Spooler.^[2]

The company expanded the catalog with two security flaws based on the active exploitation evidence. The highly severe flaw is the one among four privilege escalation bugs in the Print Spooler that Microsoft resolved as part of the Patch Tuesday back on February 8, 2022.^[3] The company shared that attackers can exploit the flaw locally in low-complexity attacks without users' interaction.

Redmond tech giant has patched a lot of flaws since the PrintNightmare remove code execution vulnerability issues came to light. The flaw included a particular 15 elevations of privilege bugs. After the technical details regarding the proof-of-concept exploit for the PrintNightmare got leaked, CISA warned admins to disable the service altogether. Windows Print Spooler services were supposed to be disabled on Domain Controllers, and systems that are not used for printing should block the potentially incoming attacks.

Constant warning about exploits and high severity bugs

CISA added another privilege escalation bug in the Windows Common Log File System Driver to the list of the currently exploitable bugs in the wild.^[4] This bug was also patched by Microsoft during the Patch Tuesday this month. Federal agencies have three weeks to secure their systems against these security flaws that were newly added to the catalog of Known Exploited Vulnerabilities.^[5]

Until May 10th, actively exploitable flaws like the CVE-2022-22178 bug should be blocked, and ongoing exploitation attempts shouldn't occur again. This warning and data apply to US federal agencies, but all organizations are urged to fix the Windows Print Spooler vulnerability and block attempts to escalate privileges on the Windows systems.

Such vulnerabilities are used in various cyber attacks as a vector frequently and such exploitations pose a significant risk to the federal enterprise. Cybercriminals and threat actors of various types can use such flaws to gain access to various systems where sensitive, valuable data is stored.

Another week another critical Print Spooler vulnerability

PrintNightmare created a lot of issues for people last year. The critical security flaw included two vulnerabilities in the Windows Print Spooler service – CVE-2021-1675 and CVE-2021-34527. The reports back in the summer informed about the flaws that enable remote code execution, privilege escalations on servers, and computers running the Print Spooler.

The CVE-2021-34527 flaw also allowed the same remote code execution and privilege escalation. The patch was released, but it is unclear if the patch was incomplete or if another attack method was discovered. However, attackers managed to use the flaw successfully.

PrintNightmare zero-day bug that was fully patched was used on still vulnerable devices, and systems got affected. The original exploit was later even modified, so the patch became only somewhat effective, and criminals managed to successfully exploit the flaw further. The latest September 2021 patches supposedly fixed the remaining PrintNightmare flaws.^[6]