If this is done on a Domain Controller, then the threat actor now effectively controls the Windows Domain. Once a threat actor gains SYSTEM privileges, it is game over for the system. These are critical vulnerabilities as they allow anyone to gain SYSTEM privileges on a local device, even a Domain Controller, simply by connecting to a remote Internet-accessible print server and installing a malicious print driver. Since then, Security researcher and Mimikatz creator Benjamin Delpy has been devising further vulnerabilities targeting the print spooler that remain unpatched.
While Microsoft released a security update for the remote code execution portion, researchers quickly bypassed the local privilege elevation component. This vulnerability allows remote code execution and local privilege escalation by installing malicious printer drivers. Technical details and a proof-of-concept (PoC) exploit for a new Windows print spooler vulnerability named 'PrintNightmare' (CVE-2021-34527) was accidentally disclosed in June.
A free unofficial patch has been released to protect Windows users from all new PrintNightmare zero-day vulnerabilities discovered since June.
