CVE-2010-2729

EXPLOITED IN THE WILD

Microsoft Windows Print Spooler - Arbitrary File Write and Remote Code Execution via Crafted RPC Print Request

Title source: llm

Exploitation Summary

CVE-2010-2729 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including Metasploit, jduck, hdm, including a Metasploit module exploits/windows/smb/ms10_061_spoolss.

AI-analyzed exploit summary This Metasploit module exploits CVE-2010-2729, a vulnerability in the Microsoft Print Spooler service, to achieve remote code execution by impersonating the service and writing arbitrary files to the target system.

Description

The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when printer sharing is enabled, does not properly validate spooler access permissions, which allows remote attackers to create files in a system directory, and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010, aka "Print Spooler Service Impersonation Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16361

View Code ZIP pw:eip

This Metasploit module exploits CVE-2010-2729, a vulnerability in the Microsoft Print Spooler service, to achieve remote code execution by impersonating the service and writing arbitrary files to the target system.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Print Spooler Service

No auth needed

Prerequisites: Network access to the target's SMB and RPC services

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by jduck, hdm · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms10_061_spoolss.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2010-2729 (MS10-061) in the Microsoft Print Spooler service to achieve remote code execution by impersonating the service and writing arbitrary files, including a malicious MOF file processed by WMI.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Print Spooler Service (MS10-061)

Auth required

Prerequisites: SMB access to target · Valid credentials or anonymous access to printer shares

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1218.010 - Regsvr32

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-061

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7358

Scores

EPSS 0.8180

EPSS Percentile 99.2%

Details

VulnCheck KEV 2010-09-15

InTheWild.io 2019-02-26

CWE

CWE-20

Status published

Products (6)

microsoft/windows_7

microsoft/windows_server_2003

microsoft/windows_server_2008 (7 CPE variants)

microsoft/windows_server_2008 r2 (2 CPE variants)

microsoft/windows_vista (4 CPE variants)

microsoft/windows_xp (2 CPE variants)

Published Sep 15, 2010

Tracked Since Feb 18, 2026