Another zero-day vulnerability in Windows Print Spooler can give a threat actor local SYSTEM privilege on a Windows machine by loading files from a remote print server under the attacker’s control and the ‘Queue-Specific Files’ feature. Last month, a security researcher prematurely revealed a zero-day Windows print spooler vulnerability known as PrintNightmare that Microsoft tracks as CVE-2021-34527. Microsoft released a security update to fix the vulnerability, but researchers determined that the patch could be bypassed under certain conditions. Since the incomplete fix, security researchers have been heavily scrutinizing the Windows printing APIs and have found further vulnerabilities affecting the Windows print spooler. Security researcher and Mimikatz creator Benjamin Delpy has publicly disclosed a new zero-day vulnerability that allows a threat actor to easily achieve SYSTEM privileges on a Windows machine through a remote print server under their control. In a conversation with reporters, Delpy said that his exploit uses the ‘Queue-Specific Files’ feature of the Windows Point and Print capability to automatically download and execute a malicious DLL when a client connects to a print server under an attacker’s control. “At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue,” explains Microsoft’s documentation on the ‘Queue-Specific Files’ feature. “The files are downloaded to each client that connects to the print server.” To demonstrate the exploitation of the vulnerability, Delpy created a print server accessible over the Internet with two shared printers that use the queue-specific files feature.