CVE-2023-27350
CVE-2023-27350 is a critical-severity vulnerability in Papercut Papercut Mf with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-04-21). The underlying weakness is classified as CWE-284.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-04-21)
- EU (EUVD) id: EUVD-2023-31126
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-04-21)
- Weakness: CWE-284
- Affected product: Papercut Papercut Mf
- Published:
- Last modified:
Description
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
CVE-2023-27350: PaperCut NG/MF Authentication Bypass and Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2023-27350 |
| CVSS 3.1 | 9.8 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| EPSS | 0.99999 (99.999th percentile) |
| KEV | Yes (added 2023-04-21) |
| CWE | CWE-284 — Improper Access Control |
| Published | 2023-04-20 |
| Source | NVD |
Summary
PaperCut NG and MF contain an authentication bypass in the SetupCompleted class that allows unauthenticated remote attackers to bypass authentication and execute arbitrary code as SYSTEM.
Background
PaperCut NG and MF are print-management solutions widely deployed in enterprise, education, and government networks. The vulnerability was disclosed by Trend Micro's Zero Day Initiative (ZDI-CAN-18987) and quickly added to the CISA Known Exploited Vulnerabilities (KEV) catalog because active exploitation was observed in the wild.
Root Cause
The flaw is categorized as CWE-284: Improper Access Control. The SetupCompleted class fails to enforce proper authentication before allowing access to setup-completion functionality. This missing access control enables an unauthenticated attacker to reach administrative endpoints that should require authentication.
Impact
The NVD vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 (Critical):
- Network exploitable with low complexity and no privileges required.
- High impact on confidentiality, integrity, and availability.
- An attacker can achieve remote code execution (RCE) in the context of the SYSTEM account, effectively granting full control over the host.
Exploitation Walkthrough
Ethics caveat: This section is written for defensive purposes only. Do not use this information to attack systems without explicit authorization.
The attack chain is conceptually straightforward:
- An unauthenticated attacker sends a request to the vulnerable
SetupCompletedendpoint. - Because the endpoint lacks proper access control, the attacker is treated as authenticated.
- The attacker manipulates setup parameters to inject or execute arbitrary code (e.g., by altering server configuration or triggering scripted setup actions).
- The code runs with SYSTEM privileges, giving the attacker full administrative control.
Defenders should treat any exposed PaperCut NG/MF instance as high-risk and assume compromise if the application was internet-facing before patching.
Affected and Patched Versions
According to the NVD CPE data, the following products are affected:
- PaperCut MF (
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*) - PaperCut NG (
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*)
The ZDI advisory specifically confirmed PaperCut NG 22.0.5 (Build 63914) as vulnerable. Patch guidance is available in the vendor knowledge-base articles PO-1216 and PO-1219. Administrators should upgrade to a version recommended by PaperCut or apply the vendor-supplied mitigations.
Remediation
- Upgrade to a patched version as directed by PaperCut's official KB articles (PO-1216 / PO-1219).
- Network segmentation — Restrict PaperCut administrative interfaces to trusted internal networks; do not expose them to the internet.
- Web Application Firewall (WAF) rules — Block or alert on anomalous requests to the
SetupCompletedendpoint. - Compensating controls — If immediate patching is not possible, disable external access to the PaperCut web interface and monitor for unauthorized configuration changes.
Detection
- Monitor web-access logs for unexpected
POSTorGETrequests toSetupCompletedor similar setup-related endpoints from untrusted IPs. - Look for suspicious child processes spawned by the PaperCut application service account.
- Check for unauthorized configuration changes or new administrative users created in the PaperCut admin console.
- Leverage CISA's KEV catalog and IOCs shared by Sophos and other security vendors for hunting rules.
Assessment
With an EPSS score of 0.99999 and inclusion in the CISA KEV catalog on 2023-04-21, this vulnerability is one of the highest-probability, highest-impact flaws in recent years. The data strongly suggests that exploitation was widespread almost immediately after disclosure.
Key lessons:
- Setup and initialization endpoints must be strictly authenticated — even "one-time" setup flows should require strong access control; otherwise they become permanent backdoors.
- Internet-facing admin interfaces are high-value targets — print-management software is often overlooked during attack-surface reviews, yet it frequently runs with elevated privileges.
References
Frequently asked questions
- What is CVE-2023-27350?
- This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
- How severe is CVE-2023-27350?
- CVE-2023-27350 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-27350 being actively exploited?
- Yes. CVE-2023-27350 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-04-21, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-27350?
- CVE-2023-27350 primarily affects Papercut Papercut Mf. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-27350?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-27350 have an EU (EUVD) identifier?
- Yes. CVE-2023-27350 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-31126. It is also flagged as exploited in the EUVD (since 2023-04-21).
- When was CVE-2023-27350 published?
- CVE-2023-27350 was published on 2023-04-20 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/171982/PaperCut-MF-NG-Authentication-Bypass-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/172022/PaperCut-NG-MG-22.0.4-Authentication-Bypass.html
- http://packetstormsecurity.com/files/172512/PaperCut-NG-MG-22.0.4-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/172780/PaperCut-PaperCutNG-Authentication-Bypass.html
- https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/
- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
- https://www.zerodayinitiative.com/advisories/ZDI-23-233/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27350
Affected products (2)
- cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
- cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
More vulnerabilities in Papercut Papercut Mf
- CVE-2023-39143 — Critical (CVSS 9.8): PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or…
- CVE-2019-12135 — Critical (CVSS 9.8): An unspecified vulnerability in the application server in PaperCut MF and NG versions 18.3.8 and earlier and versions…
- CVE-2019-8948 — Critical (CVSS 9.8): PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
- CVE-2024-1222 — High (CVSS 8.6): This allows attackers to use a maliciously formed API request to gain access to an API authorization level with…
- CVE-2023-2533 — High (CVSS 8.4): A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific…
- CVE-2023-3486 — High (CVSS 8.2): An authentication bypass exists in PaperCut NG versions 22.0.12 and prior that could allow a remote, unauthenticated…
All CVEs affecting Papercut Papercut Mf →
Other CWE-284 (Improper Access Control) vulnerabilities
- CVE-2026-50746 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi…
- CVE-2026-46978 — Critical (CVSS 10.0): Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The…
- CVE-2026-35308 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars).…
- CVE-2026-35307 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that…
- CVE-2026-46695 — Critical (CVSS 10.0): Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers…
- CVE-2026-46840 — Critical (CVSS 10.0): Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are…
Browse all CWE-284 (Improper Access Control) vulnerabilities →