22.04.2022 Threat Actors Exploit 2022 Windows Print Spooler Flaws

by Elena Lapina

During March and April 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) added two Windows Print Spooler vulnerabilities to its Known Exploited Vulnerabilities Catalog. We recommend applying the updates and mitigations for all affected systems immediately.


Both Print Spooler vulnerabilities are high-severity and were released on 8 February 2022. The first, tracked as CVE-2022-21999 and known as “SpoolFool“, allows a threat actor to execute arbitrary code with SYSTEM privileges on a vulnerable system. The SpoolFool vulnerability can be used to trick the Print Spooler service to write an arbitrary file in a system folder by using symbolic links. This allows a threat actor to install programs; view, change, or delete data; or create new accounts with administrator rights. The vulnerability is rated with a Common Vulnerability Scoring System 3.1 (CVSS) rating of 7.8, and details on the vulnerability are

The second vulnerability, tracked as CVE-2022-22718, can be leveraged to achieve code execution as SYSTEM. It impacts all versions of Windows missing the February 2022 updates. Microsoft noted that threat actors can exploit it locally in low-complexity attacks without user interaction. The vulnerability is also rated with a CVSS rating of 7.8

Proof-of-concept (POC) exploit code has been published for both  CVE-2022-22718 and CVE-2022-21999.


We recommend applying Microsoft’s February security update, that addresses these vulnerabilities, as soon as possible.

To apply updates users should go to Settings > Windows Update > Check for Updates. A system restart will be required to complete the update.




POC for CVE-2022-22718

CISA Known Exploited Vulnerabilities Catalog








Request Demo

Fill out the form and we will send you details about our demo.