Cyber Resilience

CVE-2021-34527

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 02 July 2021

Published
02 July 2021
Modified
18 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9976 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2021-34527 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a remote code execution flaw in the Windows Print Spooler service that arises when the service improperly performs privileged file operations. It affects multiple Windows versions, including Windows Server 2012, Windows Server 2016, and Windows 10 version 1607, and carries a CVSS 3.1 score of 8.8 reflecting network-accessible exploitation with low attack complexity and low required privileges.

An authenticated attacker with low privileges can exploit the issue over the network to execute arbitrary code under SYSTEM context. Successful exploitation grants the ability to install programs, view or modify data, delete information, and create new accounts with full administrative rights.

Microsoft security updates released on and after July 6, 2021 address both this issue and the related PrintNightmare vulnerability (CVE-2021-1675). Advisories require immediate installation of the patches; when updates cannot be applied, administrators must ensure the registry values NoWarningNoElevationOnInstall and UpdatePromptSettings under HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint are either set to 0 or left undefined, as setting NoWarningNoElevationOnInstall to 1 leaves the system vulnerable by design. Corresponding Group Policy settings must also be verified.

Public exploit code for remote DLL injection against the Print Spooler has been published, and the updates incorporate additional hardening measures documented in KB5005010.

EU & UK References

Vulnerability details

<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or…

more

delete data; or create new accounts with full user rights.</p> <p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p> <p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p> <ul> <li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li> <li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li> <li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li> </ul> <p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p> <p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p> <p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>

CWE(s)
KEV Date Added
03 November 2021

Related Threats

CVEs Like This One

CVE-2022-30190Same product: Microsoft Windows 10 1507both on KEV
CVE-2021-40444Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24985Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24991Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24054Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-26633Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24993Same product: Microsoft Windows 10 1507both on KEV
CVE-2021-1675Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-59230Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24990Same product: Microsoft Windows 10 1507both on KEV

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.18969
microsoft
windows 10 1607
≤ 10.0.14393.4470
microsoft
windows 10 1809
≤ 10.0.17763.2029
microsoft
windows 10 20h2
≤ 10.0.19042.1083
microsoft
windows 10 21h2
≤ 10.0.19044.1415
microsoft
windows 10 22h2
≤ 10.0.19045.2251
microsoft
windows 11 21h2
≤ 10.0.22000.318
microsoft
windows 11 22h2
≤ 10.0.22621.674
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
+7 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires installation of the vendor security updates that Microsoft states remediate both CVE-2021-34527 and the related PrintNightmare flaw.

prevent

Mandates applying and verifying the exact registry values (NoWarningNoElevationOnInstall=0, UpdatePromptSettings=0) and corresponding Group Policy settings that block the vulnerable Point-and-Print behavior.

prevent

Enforces the access-control policy that restricts which users or drivers may perform privileged print-spooler file operations, directly limiting the low-privilege remote exploitation path.

References