A newly disclosed CVE‑2026‑7210 remote code execution vulnerability in the Windows Print Spooler service can be exploited without user interaction. It carries a CVSS 9.8 score. Microsoft has released patches for supported Windows 10, Windows 11, and Windows Server 2022 builds. Organizations must apply the updates within 48 hours, disable the Print Spooler on non‑essential systems, and verify remediation via the provided KB articles.
Critical Remote Code Execution Flaw (CVE‑2026‑7210) Impacts Windows Print Spooler
Impact: Remote code execution (RCE) on vulnerable Windows hosts. An attacker can execute arbitrary code with SYSTEM privileges, potentially taking full control of the machine.
Severity: CVSS v3.1 base score 9.8 (Critical).
Affected Products
| Product | Versions Affected | Build Range |
|---|---|---|
| Windows 10 | 22H2, 21H2, 20H2 | 19044.3086‑19044.3500 |
| Windows 11 | 22H2, 23H2 | 22621.1415‑22621.1700 |
| Windows Server 2022 | All supported releases | 20348.1500‑20348.2100 |
| Windows Server 2019 | All supported releases | 17763.3000‑17763.3500 |
The vulnerability resides in the Print Spooler (spoolsv.exe) service, specifically in the handling of crafted RPC packets sent to the RpcAddPrinterDriverEx function.
Technical Details
- Vulnerability Type – Improper input validation in the Print Spooler RPC interface.
- Attack Vector – Network‑only. An unauthenticated attacker can send a malicious RPC request to port 445/TCP (SMB) or 139/TCP if the spooler is exposed.
- Exploit Flow
- Attacker discovers a target machine with the spooler service listening.
- Sends a specially crafted
RpcAddPrinterDriverExstructure containing a malicious DLL path. - The spooler loads the DLL with SYSTEM privileges.
- Malicious code runs, granting the attacker full control.
- Pre‑conditions – The target must have the Print Spooler service enabled and reachable over the network. No user interaction is required.
- Mitigations Bypassed – The vulnerability bypasses Windows Defender Application Control (WDAC) when the malicious DLL is placed in a trusted system directory.
Mitigation Steps
- Apply the Security Updates – Microsoft released patches on 2026‑04‑11. Download and install the appropriate KB:
- Restart the Print Spooler Service – After installing the update, run
net stop spooler && net start spooleror simply reboot. - Disable Print Spooler on Non‑Print Servers – Run
sc config spooler start= disabledon machines that do not need printing. - Restrict Access to Port 445 – Block inbound SMB traffic from untrusted networks using firewall rules.
- Enable Audit Logging – Set
Audit Object Accessto log attempts to load printer drivers. Review Event ID 307. - Deploy Application Whitelisting – Use Microsoft Defender Application Control (MDAC) to allow only signed printer driver DLLs.
Verification
- After patching, run
Get-HotFix -Id KB5029385(or KB5029390) to confirm installation. - Use the Microsoft Safety Scanner to scan for the known malicious DLL payloads (
*.dllplaced inC:\Windows\System32). - Check the service status:
Get-Service spoolershould show Running and StartType as Manual or Automatic depending on policy.
Timeline
| Date | Event |
|---|---|
| 2026‑04‑02 | CVE‑2026‑7210 assigned by MITRE. |
| 2026‑04‑07 | Proof‑of‑Concept published on public exploit forum. |
| 2026‑04‑11 | Microsoft releases security updates (Patch Tuesday). |
| 2026‑04‑12 | CISA adds CVE‑2026‑7210 to the Known Exploited Vulnerabilities (KEV) catalog. |
| 2026‑04‑15 | Recommended remediation deadline for federal agencies (48 h post‑release). |
Why Immediate Action Matters
The Print Spooler service is enabled by default on virtually every Windows desktop and server. Attackers can move laterally across a network by exploiting this flaw on a single compromised host. A successful exploit grants SYSTEM rights, which can be leveraged to deploy ransomware, exfiltrate data, or create persistent backdoors.
Additional Resources
- Microsoft Security Update Guide – detailed advisory for CVE‑2026‑7210: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2026-7210
- CISA KEV Catalog – entry for CVE‑2026‑7210: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Mitre CVE Details – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7210
- Microsoft Docs – Print Spooler Hardening: https://learn.microsoft.com/windows-server/administration/print-management/print-spooler-security
Bottom Line
CVE‑2026‑7210 is a critical RCE flaw in the Windows Print Spooler that can be weaponized without user interaction. Apply the Microsoft patches immediately, disable the spooler where it is not needed, and enforce network segmentation to block SMB traffic from untrusted zones. Failure to act within the next 48 hours leaves systems exposed to active exploitation.
Comments
Please log in or register to join the discussion