الثغرات ›

CVE-2021-1675

حرج 🇺🇸 CISA KEV ⚡ اختراق متاح

Microsoft Windows Print Spooler Remote Code Execution Vulnerability — Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.

                    نُشر: Nov 3, 2021                                          ·  المصدر: CISA_KEV                

CVSS v3

9.0

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

Microsoft Windows Print Spooler Remote Code Execution Vulnerability — Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.

🤖 ملخص AI

CVE-2021-1675 is a critical remote code execution vulnerability in Microsoft Windows Print Spooler affecting multiple Windows versions. With a CVSS score of 9.0 and publicly available exploits, this vulnerability poses an immediate threat to organizations across all sectors in Saudi Arabia. Attackers can execute arbitrary code with SYSTEM privileges without authentication, making it a high-priority threat requiring immediate patching.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: Apr 19, 2026 20:48

🇸🇦 التأثير على المملكة العربية السعودية

This vulnerability poses critical risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare facilities, energy sector (ARAMCO and subsidiaries), and telecommunications providers (STC, Mobily). Government entities and critical infrastructure operators are particularly vulnerable due to widespread Windows deployment. The Print Spooler service is enabled by default on most Windows systems, creating a large attack surface across all sectors.

🏢 القطاعات السعودية المتأثرة

Banking and Financial Services Government and Public Administration Healthcare and Medical Facilities Energy and Utilities Telecommunications Critical Infrastructure Education Manufacturing

🎯 تقنيات MITRE ATT&CK

T1021.002 - Remote Services: RPC T1059.001 - Command and Scripting Interpreter: PowerShell T1053.005 - Scheduled Task/Job: Scheduled Task T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys T1543.003 - Create or Modify System Process: Windows Service T1569.002 - System Services: Service Execution

⚖️ درجة المخاطر السعودية (AI)

9.5

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Apply Microsoft security patches KB5004945 (Windows 10/11) or KB5004947 (Windows Server 2016/2019/2022) immediately

2. If patching cannot be completed immediately, disable Print Spooler service: net stop spooler && sc config spooler start= disabled

3. Restrict network access to Print Spooler ports (TCP 135, 445) using firewall rules

4. Monitor for suspicious RPC traffic and Print Spooler process anomalies



DETECTION RULES:

- Monitor Event ID 1000 (Application Error) for spoolsv.exe crashes

- Alert on unexpected child processes spawned by spoolsv.exe

- Track RPC calls to Print Spooler interfaces (MS-RPRN protocol)

- Monitor for unusual network connections from Print Spooler service



COMPENSATING CONTROLS:

- Implement network segmentation to isolate print infrastructure

- Deploy EDR solutions to detect suspicious spoolsv.exe behavior

- Enable Windows Defender Application Guard for vulnerable systems

- Implement application whitelisting to prevent unauthorized code execution

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تطبيق تصحيحات أمان Microsoft KB5004945 (Windows 10/11) أو KB5004947 (Windows Server) فوراً

2. إذا لم يكن التصحيح ممكناً، عطّل خدمة Print Spooler: net stop spooler && sc config spooler start= disabled

3. قيّد الوصول الشبكي إلى منافذ Print Spooler (TCP 135, 445) باستخدام قواعد جدار الحماية

4. راقب حركة RPC المريبة وشذوذ عملية Print Spooler



قواعد الكشف:

- راقب Event ID 1000 لأخطاء spoolsv.exe

- نبّه على العمليات الفرعية غير المتوقعة من spoolsv.exe

- تتبع استدعاءات RPC لواجهات Print Spooler

- راقب الاتصالات الشبكية غير العادية من خدمة Print Spooler



الضوابط البديلة:

- تطبيق تقسيم الشبكة لعزل البنية التحتية للطباعة

- نشر حلول EDR للكشف عن السلوك المريب

- تفعيل Windows Defender Application Guard

- تطبيق القائمة البيضاء للتطبيقات

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.2.1 - Monitoring and logging ECC 2024 A.13.1.3 - Segregation of networks

🔵 SAMA CSF

ID.RA-1 - Asset management and vulnerability identification PR.IP-12 - System and information integrity DE.CM-1 - Detection and analysis RS.RP-1 - Response planning

🟡 ISO 27001:2022

A.12.2.1 - Monitoring and logging of information and communication technology A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy and procedures A.13.1.3 - Segregation of networks

🟣 PCI DSS v4.0

Requirement 6.2 - Security patches and updates Requirement 11.2 - Vulnerability scanning Requirement 12.2 - Configuration standards

🔗 المراجع والمصادر 0

لا توجد مراجع.

📦 المنتجات المتأثرة 1 منتج

Microsoft:Windows

📊 CVSS Score

9.0

/ 10.0 — حرج

📋 حقائق سريعة

الخطورة حرج

CVSS Score9.0

EPSS94.31%

اختراق متاح ✓ نعم

تصحيح متاح ✓ نعم

CISA KEV🇺🇸 Yes

تاريخ الإصلاح2021-11-17

تاريخ النشر 2021-11-03

المصدر cisa_kev

المشاهدات 2

🇸🇦 درجة المخاطر السعودية

9.5

/ 10.0 — مخاطر السعودية

أولوية: CRITICAL

🏷️ الوسوم

kev actively-exploited ransomware

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2021-1675

عرّفنا بنفسك

تسجيل الدخول مطلوب