Threat Response – PrintNightmare and Remote Code Execution (CVE-2021-40444) updates


Northwave has informed you through previous Threat Responses about several vulnerabilities in the Windows operating system. More specifically, Northwave sent out Threat Responses for vulnerabilities in the Printer Spooler service on 30 June 2021 and a Remote Code Execution in the MSHTML engine (CVE-2021-40444) on 9 September 2021.

During the latest ‚Patch Tuesday‘, Microsoft released several important updates that resolve the aforementioned vulnerabilities. Besides these vulnerabilities, the patches contain fixes for several other vulnerabilities as well. Microsoft resolved a total of 60 vulnerabilities during the latest patch-round. An overview of the resolved vulnerabilities, including CVE assignments, is found on the website of Microsoft[1].

Northwave strongly recommends installing the released patches as soon as possible.


Multiple vulnerabilities were found in the Printer Spooler service. Some vulnerabilities allowed a Remote Code Execution on Windows systems. The Remote Code Execution vulnerabilities were resolved in earlier patches, however a Local Privilege Escalation (LPE) vulnerability remained present. This LPE vulnerability was discovered by Benjamin Delpy, a well-known security researcher and developer of the tool Mimikatz. Microsoft disabled the vulnerable functionality through these patches, causing the exploit to fail, as shown in one of Benjamin’s latest tweets[2]. This resolves the publicly known Local Privilege Escalation vulnerability.

A second important patch in this Patch Tuesday is for CVE-2021-40444. This CVE is assigned to a vulnerability that allows malicious users to circumvent certain security measures in Microsoft Office. This vulnerability received a lot of online attention and was observed to be used in real-world attacks.

Besides patches for the vulnerabilities Northwave communicated about earlier, other patches were also part of this patch Tuesday. One severe vulnerability that was resolved is an unauthenticated Remote Code Execution in the Azure OMI agent. This agent is often installed automatically on Linux VMs in Azure. Exploiting this vulnerability yields root permissions to malicious users. More information about this vulnerability and its mitigations is found on the security researchers‘ website[3].

What should you do?

Install the patches that were released on September 14th 2021 as soon as possible.

What will Northwave do?

Northwave will monitor any developments regarding these vulnerabilities. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.






Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.