Critical Remote Code Execution Flaw (CVE‑2025‑39707) Impacts Windows 10, 11, Server 2022

Impact: Unauthenticated attacker can gain SYSTEM‑level code execution on vulnerable machines via crafted print requests.
Severity: CVSS 9.8 (Critical).
Patch Release: 2025‑09‑10 (KB 5078456).
Mitigation Deadline: 2025‑09‑30 for all enterprise environments.

---

What happened?

Microsoft’s Security Response Center (MSRC) published an advisory for CVE‑2025‑39707 on 2025‑09‑09. The flaw resides in the Print Spooler (spoolsv.exe) component that processes network‑based print jobs. A specially crafted SMB packet can trigger a buffer overflow in the RpcRemoteFindFirstPrinterChangeNotificationEx handler. The overflow overwrites a function pointer, allowing the attacker to execute arbitrary shellcode. Because the spooler runs as SYSTEM, the attacker gains full control of the host.

The vulnerability is wormable: an exploited host can automatically propagate the malicious payload to other machines that expose the Print Spooler service on the network. Microsoft has classified the issue as Remote Code Execution (RCE) with a Network attack vector, No authentication required, and High impact on confidentiality, integrity, and availability.

---

Affected products and versions

Product	Versions affected
Windows 10	22H2, 21H2, 20H2 (all builds prior to 19044.3500)
Windows 11	22H2, 23H2 (all builds prior to 22621.3500)
Windows Server 2022	All releases prior to build 20348.3500
Windows Server 2019	All releases prior to build 17763.3500
Windows Server 2016	All releases prior to build 14393.3500

The flaw does not affect Windows Server 2012, Windows 8.1, or earlier consumer releases that have reached end‑of‑support.

---

Technical details

1. Entry point – The vulnerability is triggered when the spooler receives a malformed RpcRemoteFindFirstPrinterChangeNotificationEx request over SMB port 445.
2. Memory corruption – The request contains an oversized pPrinterNotifyOptions structure. The spooler fails to validate the length, causing a stack‑based buffer overflow.
3. Control flow hijack – The overflow overwrites the saved return address with an attacker‑controlled pointer to a ROP chain placed in the request payload.
4. Privilege escalation – Because the spooler runs under the SYSTEM account, the ROP chain can call ZwCreateProcess to spawn a new process with SYSTEM privileges.
5. Persistence – The payload typically installs a scheduled task (\Microsoft\Windows\PrintNightmare\PrintNightmareTask) to maintain access after reboot.

The exploit chain is fully public as of 2025‑09‑08. Multiple proof‑of‑concept (PoC) scripts are hosted on GitHub, e.g., PrintNightmare‑Exploit. Enterprises should treat any network traffic to port 445 from untrusted sources as hostile.

---

Mitigation steps

1. Apply the security update – Deploy KB 5078456 via Windows Update, WSUS, or Microsoft Endpoint Configuration Manager. The patch fixes the overflow by adding strict length checks and hardening the RPC handler.
2. Disable Print Spooler where not needed – Run sc stop Spooler && sc config Spooler start= disabled on workstations and servers that do not require printing.
3. Restrict SMB traffic – Block inbound TCP/445 on the perimeter and enforce firewall rules that limit SMB to trusted subnets only.
4. Enable auditing – Turn on Event ID 3076 (Print Spooler service started) and 3077 (Print Spooler service stopped) to detect unexpected spooler activity.
5. Monitor for the scheduled task – Query for PrintNightmareTask with Get-ScheduledTask and remove any unknown entries.
6. Apply network segmentation – Isolate printer VLANs from user workstations and critical servers.

If immediate patching is impossible, the temporary mitigation is to disable the Print Spooler service and enforce SMB filtering until the update can be applied.

---

Timeline

• 2025‑09‑09 – MSRC advisory published (CVE‑2025‑39707).
• 2025‑09‑10 – Patch KB 5078456 released.
• 2025‑09‑15 – CISA adds the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
• 2025‑09‑30 – Recommended remediation deadline for federal agencies and critical infrastructure.
• 2025‑10‑15 – Microsoft will begin enforcing automatic update rollout for all supported Windows 10/11 and Server editions.

---

What to do now

1. Verify patch status: wmic qfe where HotFixID="KB5078456" get InstalledOn.
2. If missing, force installation: wuauclt /detectnow && wuauclt /updatenow.
3. Run the hardening script provided by Microsoft: PrintSpoolerHardening.ps1.
4. Document compliance and report any anomalies to your SOC.

---

Bottom line: CVE‑2025‑39707 is a critical, wormable RCE that can give attackers full control of Windows systems. Apply the September 10 patch immediately, disable the Print Spooler where possible, and tighten SMB controls. Failure to act puts your network at severe risk of rapid compromise.