Researchers from a Shenzhen-based security firm accidentally published a proof-of-concept for a dangerous unpatched vulnerability that can be used to take over Active Directory domain controllers.

The vulnerability in question is CVE-2021-1675, which initially was described by Microsoft as an elevation of privilege issue affecting pretty much every supported Windows version. The vulnerability exists due to application does not properly impose security restrictions in Windows Print Spooler, which leads to security restrictions bypass and privilege escalation.

Microsoft fixed CVE-2021-1675 on June 8 as part of its June Patch Tuesday, however, on June 21 tech giant suddenly and without explanation changed classification to a more serious remote-code execution vulnerability.

And here things got a little messy. Apparently, thinking that the bug was now patched researchers from Chinese cybersecurity company Sangfor Technologies who were preparing to present an in-depth technical paper on Windows Print Spooler bugs at a Black Hat cybersecurity conference in August 2021 decided to publish their proof-of-concept code ahead of presentation.

However, other researchers tried out the exploit and found that it still worked. It appears that the vulnerability discovered by Sangfor researchers wasn’t actually the same bug fixed by Microsoft.

The researchers deleted the publication from GitHub shortly after realizing their mistake, but by then the exploit code was already copied and published elsewhere.

Several independent security researchers have published screenshots on Twitter showing that the exploit for the bug, which was named ‘PrintNightmare’, works on fully patched Windows systems. It seems that the Microsoft patch for CVE-2021-1675 only patches the privilege escalation attack vector but not the RCE attack vector, for this reason system administrators are advised to disable the Print Spooler service, especially on Windows servers running as domain controllers.