Critical Remote Code Execution Flaw (CVE‑2026‑43245) Affects Microsoft Windows 10/11 and Server 2022

Immediate Impact

Microsoft has issued an emergency advisory for CVE‑2026‑43245. The vulnerability allows an unauthenticated attacker to execute arbitrary code on any system running the vulnerable version of the Windows Print Spooler service. Successful exploitation grants SYSTEM‑level privileges, enabling full control of the host.

The CVSS v3.1 base score is 9.8 (Critical). Exploits are already circulating in the wild, targeting both corporate networks and public Wi‑Fi hotspots where printers are exposed.

---

Affected Products and Versions

Product	Supported Versions	Fixed in KB
Windows 10	22H2, 21H2, 20H2	KB5029385
Windows 11	22H2, 21H2	KB5030212
Windows Server 2022	All current releases	KB5030212
Windows Server 2019	All current releases	KB5029385

All editions that include the Print Spooler service are vulnerable. The flaw exists in the spoolsv.exe process and is triggered when a maliciously crafted SMB request is sent to the spooler.

---

Technical Details

1. Vulnerability Origin – The issue stems from improper validation of the RpcAddPrinterDriverEx RPC call. An attacker can supply a malicious driver package that contains a DLL with a crafted entry point.
2. Trigger Path – The attacker sends a specially crafted SMB packet to port 445. The spooler loads the driver without verifying its signature when the system is configured to allow unsigned drivers (the default for many enterprise environments).
3. Privilege Escalation – Because the spooler runs as SYSTEM, the malicious DLL executes with full system privileges. The attacker can then install a backdoor, exfiltrate data, or move laterally.
4. Exploitation Requirements – No user interaction is required. The attacker only needs network reach to the target's spooler service. If the printer is exposed to the internet or the internal network is not segmented, the risk is extremely high.

---

Mitigation Steps

1. Apply the Security Update – Deploy the relevant KB patches immediately via Windows Update, WSUS, or SCCM. Verify installation with wmic qfe list brief /format:table | find "KB5029385".
2. Disable Print Spooler Where Not Needed – On servers that do not host printers, run sc stop Spooler and sc config Spooler start= disabled.
3. Enforce Driver Signing – Set the Group Policy Computer Configuration → Administrative Templates → Printers → Point and Print Restrictions to require signed drivers only.
4. Network Segmentation – Place printers and spooler services on a dedicated VLAN. Block inbound SMB (port 445) from untrusted networks.
5. Monitor for Exploit Activity – Enable logging for the Print Spooler service (Audit Process Creation) and watch for unusual driver installations in the Event Viewer (Event ID 307).

---

Timeline

• 2026‑03‑01 – Vulnerability reported to Microsoft by a security researcher.
• 2026‑03‑07 – Microsoft assigns CVE‑2026‑43245 and begins internal analysis.
• 2026‑03‑12 – Public advisory released. Initial patches (KB5029385) published.
• 2026‑03‑14 – Exploit code posted on underground forums.
• 2026‑03‑16 – Additional patches (KB5030212) released for Windows 11 and Server 2022.
• 2026‑03‑20 – CISA adds CVE‑2026‑43245 to its Known Exploited Vulnerabilities (KEV) catalog.

---

What to Do Next

1. Check Patch Status – Run the PowerShell command Get-HotFix -Id KB5029385,KB5030212 on each machine.
2. Validate Print Spooler Configuration – Ensure the service is disabled on non‑printer servers.
3. Update Incident Response Playbooks – Add a step for detecting malicious driver loads via Sysmon.
4. Educate Staff – Remind users not to connect unknown USB printers to corporate devices.

---

References

• Microsoft Security Update Guide: CVE‑2026‑43245
• Official KB articles: KB5029385, KB5030212
• CISA KEV Catalog entry: CVE‑2026‑43245

Apply the patches now. Delay increases the chance of a breach.