New Windows Server PrintNightmare Zero-day exploit may be the new Hafnium

A new and unpatched Zero-day exploit has just been released, along with Proof-of-Concept code, which grants attackers full Remote  Code Execution capabilities on fully patched Windows Print Spooler devices.

The hack, called PrintNightmare, was accidentally released by Chinese security company Sangfor, who confused it with a similar Print Spooler exploit which Microsoft has already patched.

PrintNightmare however is effective on fully patched Windows Server 2019 machines and allows attacker code to run with full privileges.

Because I know you love good videos with #mimikatz but also #printnightmare ( CVE-2021-1675 ?)
* Standard user to SYSTEM on remote domain controller *

Maybe Microsoft can explain some stuff about their fix ?
> For now, stop Spooler service

Thank you @_f0rgetting_ & @edwardzpeng pic.twitter.com/bJ3dkxN1fW

— ????? Benjamin Delpy (@gentilkiwi) June 30, 2021

The main mitigating factor is that hackers need some (even low-privilege) credentials for the network, but for enterprise networks, these can be easily purchased for around $3.

This means corporate networks are again extremely vulnerable to (especially ransomware) attacks, with security researchers recommending companies disable their Windows Print Spoolers.

Read more about the issue at BleepingComputer here.