A new and unpatched Zero-day exploit has just been released, along with Proof-of-Concept code, which grants attackers full Remote Code Execution capabilities on fully patched Windows Print Spooler devices.
The hack, called PrintNightmare, was accidentally released by Chinese security company Sangfor, who confused it with a similar Print Spooler exploit which Microsoft has already patched.
PrintNightmare however is effective on fully patched Windows Server 2019 machines and allows attacker code to run with full privileges.
Because I know you love good videos with #mimikatz but also #printnightmare ( CVE-2021-1675 ?)
* Standard user to SYSTEM on remote domain controller *Maybe Microsoft can explain some stuff about their fix ?
> For now, stop Spooler serviceThank you @_f0rgetting_ & @edwardzpeng pic.twitter.com/bJ3dkxN1fW
— ? Benjamin Delpy (@gentilkiwi) June 30, 2021
The main mitigating factor is that hackers need some (even low-privilege) credentials for the network, but for enterprise networks, these can be easily purchased for around $3.
This means corporate networks are again extremely vulnerable to (especially ransomware) attacks, with security researchers recommending companies disable their Windows Print Spoolers.
Read more about the issue at BleepingComputer here.