* [Blog](https://www.paloaltonetworks.com/blog) * [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Remediating PrintNightmar... # Remediating PrintNightmare (CVE-2021-1675) Using Cortex XSOAR [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fremediating-printnightmare-cve-2021-1675-using-cortex-xsoar%2F) [](https://twitter.com/share?text=Remediating+PrintNightmare+%28CVE-2021-1675%29+Using+Cortex+XSOAR&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fremediating-printnightmare-cve-2021-1675-using-cortex-xsoar%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fremediating-printnightmare-cve-2021-1675-using-cortex-xsoar%2F&title=Remediating+PrintNightmare+%28CVE-2021-1675%29+Using+Cortex+XSOAR&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/remediating-printnightmare-cve-2021-1675-using-cortex-xsoar/&ts=markdown) \[\](mailto:?subject=Remediating PrintNightmare (CVE-2021-1675) Using Cortex XSOAR) Link copied By [Pramukh Ganeshamurthy](https://www.paloaltonetworks.com/blog/author/pramukh-ganeshamurthy/?ts=markdown "Posts by Pramukh Ganeshamurthy") Jul 02, 2021 4 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown) [Hunting](https://www.paloaltonetworks.com/blog/tag/hunting/?ts=markdown) [PrintNightmare](https://www.paloaltonetworks.com/blog/tag/printnightmare/?ts=markdown) [SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown) [Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown) [Vulnerability](https://www.paloaltonetworks.com/blog/tag/vulnerability/?ts=markdown) [Vulnerability Management](https://www.paloaltonetworks.com/blog/tag/vulnerability-management/?ts=markdown) ### **Executive Summary** On June 29, 2021, proof of concept code for [CVE-2021-1675](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675) was posted on [Github](https://github.com/cube0x0/CVE-2021-1675). This CVE was patched by Microsoft on June 8, 2021 as a part of the June 2021 Patch Tuesday, which was described as local privilege escalation. On Jul 1, Microsoft published another advisory to the Print Spooler service [(CVE-2021-34527, AKA PrintNightmare)](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) which included remote code execution with SYSTEM privileges and the CVE severity to critical. The [CERT](https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability) Coordination Center (CERT/CC) further released a [VulNote](https://www.kb.cert.org/vuls/id/383432) for this critical remote code execution vulnerability in the Windows Print spooler service, suggesting that the available updates do not address the public exploits that also identify as CVE-2021-1675, meaning an attacker can still exploit this vulnerability to take control of an affected system. [CVE-2021-1675](https://nvd.nist.gov/vuln/detail/CVE-2021-1675) is a vulnerability that allows remote code execution (RCE) on Windows Print Spooler. This blog will help you implement automated response and remediation measures using Cortex XSOAR. ### **What are some known ways this vulnerability can be exploited?** The Microsoft Windows Print Spooler service fails to restrict access to the [RpcAddPrinterDriverEx() function](https://www.kb.cert.org/vuls/id/383432), which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. To be able to use this exploit it requires the attacker to authenticate as a domain user. The Print Spooler service is normally enabled, so the compromise of any DC user could likely result in RCE. Successful exploitation will allow the attacker to gain remote code execution with SYSTEM-level privileges. ### **How can Cortex XSOAR help?** Our mission has been to help our customers automate security operations to the extent that is possible by technology -- a key part of staying ahead of today's automated attackers. To help with this, we provide playbooks for specific types of response actions and maintain an ecosystem where others can contribute playbooks as well -- and we advise our customers to add our playbooks to their SecOps process to automate what they can. For this CVE-2021-34527 - PrintNightmare and many others, organizations can leverage the power of automation with Cortex XSOAR to help speed up the discovery and remediation of known vulnerabilities. XSOAR's automated playbooks also help in unifying threat feed ingestion, indicator enrichment and incident management workflows, helping your team to respond to sophisticated attacks at machine speed. Cortex XSOAR released two playbooks to address the PrintNightmare vulnerability: **CVE-2021-1675 | CVE-2021-34527 - PrintNightmare**playbook and a detection and response playbook with the Cortex XDR: The**CVE-2021-1675 | CVE-2021-34527 - PrintNightmare playbook** includes following tasks: 1. Mitigation actions - to mitigate the exploit, recommended actions to disable Print Spooler services if possible, restricting the ACLs, and Install Microsoft patches. 2. Run vulnerability scan - to detect any vulnerabile device in the organization network. 3. Search for compromised devices based on Windows event IDs related to the exploit (Windows event IDs 808 and 31017. 4. Query firewall logs to detect network activity. 5. Run dedicated detection and response playbook for Cortex XDR The **Cortex XDR - PrintNightmare Detection and Response** includes following tasks: 1. Containment of files, endpoints, users and IP Addresses 2. Enrichment of indicators 3. Data acquisition of system info and files using Cortex XDR 4. Eradicating compromised user credentials The investigation data is documented automatically within the Cortex XSOAR case management, making it easier for the security teams to use this data as reference. ![screen shot](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/07/word-image-30.png) *Figure-1. The CVE-2021-1675 - PrintNightmare playbook in action* **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/07/word-image-32.png)** ### **Where can I find this playbook?** **CVE-2021-1675 | CVE-2021-34527 - PrintNightmare** is part of the Rapid Breach Response content pack available for download from the Cortex XSOAR [Marketplace](https://xsoar.pan.dev/marketplace). Rapid Breach Response is a collection of playbooks developed by our security research teams in response to high-profile breaches and attacks, such as [HAFNIUM - Exchange 0-day Exploits](https://www.paloaltonetworks.com/blog/security-operations/respond-to-microsoft-exchange-server-breach-with-cortex-xsoar/?ts=markdown) and [SolarStorm](https://www.paloaltonetworks.com/blog/security-operations/cortex-xsoar-solarstorm-sunburst/?ts=markdown). You can find the Rapid Breach Response content pack playbooks in our Cortex XSOAR Marketplace. ![The Rapid Breach Response collection of playbooks in the Cortex XSOAR Marketplace can help organizations respond to high-profile breaches and attacks such as the Nobelium spear phishing campaign.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/07/the-rapid-breach-response-collection-of-playbooks-1.jpeg) *Figure-2. The Rapid Breach Response collection of playbooks in the Cortex XSOAR Marketplace can help organizations respond to high-profile breaches and attacks.* ### **Conclusion** With the help of the Rapid breach response content pack and Cortex XSOAR core capabilities and integrations, incident response, SecOps, and threat intel teams can save many hours of manual labor trying to piece disparate sources of information together from multiple tools. Cortex XSOAR can automate several remediation and response actions so that security teams can quickly respond to vulnerabilities such as the PrintNightmare, and mitigate them to reduce its impact on the enterprise. Don't have Cortex XSOAR yet? Try the [free Community Edition](https://start.paloaltonetworks.com/sign-up-for-community-edition.html) today. ### **Leverage the Cortex XSOAR's CVE-2021-1675 - PrintNightmare Playbook to Remediate** *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)](https://www.paloaltonetworks.com/blog/security-operations/prevention-hunting-and-playbooks-for-msdt-zero-day-cve-2022-30190/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown) [#### Deloitte's Cloud Migration Success: Transforming SecOps with Cortex XSOAR](https://www.paloaltonetworks.com/blog/security-operations/deloittes-cloud-migration-success-transforming-secops-with-cortex-xsoar/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Cortex XSOAR Ranked #1 for SOC Automation](https://www.paloaltonetworks.com/blog/security-operations/cortex-xsoar-ranked-1-for-soc-automation/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Unveiling the Power of Automation for MSSPs](https://www.paloaltonetworks.com/blog/security-operations/unveiling-the-power-of-automation-for-mssps/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Cortex XSOAR Marketplace's Top Contributors for April - June 2023!](https://www.paloaltonetworks.com/blog/security-operations/cortex-xsoar-marketplaces-top-contributors-for-april-june-2023/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automated Rapid Response to Microsoft Outlook for Windows Vulnerability](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automated-rapid-response-to-microsoft-outlook-for-windows-vulnerability/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language