CVE-2023-27350

CVE-2023-27350 is a critical-severity vulnerability in Papercut Papercut Mf with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-04-21). The underlying weakness is classified as CWE-284.

Key facts

Description

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

CVE-2023-27350: PaperCut NG/MF Authentication Bypass and Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2023-27350
CVSS 3.1 9.8 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
EPSS 0.99999 (99.999th percentile)
KEV Yes (added 2023-04-21)
CWE CWE-284 — Improper Access Control
Published 2023-04-20
Source NVD

Summary

PaperCut NG and MF contain an authentication bypass in the SetupCompleted class that allows unauthenticated remote attackers to bypass authentication and execute arbitrary code as SYSTEM.

Background

PaperCut NG and MF are print-management solutions widely deployed in enterprise, education, and government networks. The vulnerability was disclosed by Trend Micro's Zero Day Initiative (ZDI-CAN-18987) and quickly added to the CISA Known Exploited Vulnerabilities (KEV) catalog because active exploitation was observed in the wild.

Root Cause

The flaw is categorized as CWE-284: Improper Access Control. The SetupCompleted class fails to enforce proper authentication before allowing access to setup-completion functionality. This missing access control enables an unauthenticated attacker to reach administrative endpoints that should require authentication.

Impact

The NVD vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 (Critical):

  • Network exploitable with low complexity and no privileges required.
  • High impact on confidentiality, integrity, and availability.
  • An attacker can achieve remote code execution (RCE) in the context of the SYSTEM account, effectively granting full control over the host.

Exploitation Walkthrough

Ethics caveat: This section is written for defensive purposes only. Do not use this information to attack systems without explicit authorization.

The attack chain is conceptually straightforward:

  1. An unauthenticated attacker sends a request to the vulnerable SetupCompleted endpoint.
  2. Because the endpoint lacks proper access control, the attacker is treated as authenticated.
  3. The attacker manipulates setup parameters to inject or execute arbitrary code (e.g., by altering server configuration or triggering scripted setup actions).
  4. The code runs with SYSTEM privileges, giving the attacker full administrative control.

Defenders should treat any exposed PaperCut NG/MF instance as high-risk and assume compromise if the application was internet-facing before patching.

Affected and Patched Versions

According to the NVD CPE data, the following products are affected:

  • PaperCut MF (cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*)
  • PaperCut NG (cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*)

The ZDI advisory specifically confirmed PaperCut NG 22.0.5 (Build 63914) as vulnerable. Patch guidance is available in the vendor knowledge-base articles PO-1216 and PO-1219. Administrators should upgrade to a version recommended by PaperCut or apply the vendor-supplied mitigations.

Remediation

  1. Upgrade to a patched version as directed by PaperCut's official KB articles (PO-1216 / PO-1219).
  2. Network segmentation — Restrict PaperCut administrative interfaces to trusted internal networks; do not expose them to the internet.
  3. Web Application Firewall (WAF) rules — Block or alert on anomalous requests to the SetupCompleted endpoint.
  4. Compensating controls — If immediate patching is not possible, disable external access to the PaperCut web interface and monitor for unauthorized configuration changes.

Detection

  • Monitor web-access logs for unexpected POST or GET requests to SetupCompleted or similar setup-related endpoints from untrusted IPs.
  • Look for suspicious child processes spawned by the PaperCut application service account.
  • Check for unauthorized configuration changes or new administrative users created in the PaperCut admin console.
  • Leverage CISA's KEV catalog and IOCs shared by Sophos and other security vendors for hunting rules.

Assessment

With an EPSS score of 0.99999 and inclusion in the CISA KEV catalog on 2023-04-21, this vulnerability is one of the highest-probability, highest-impact flaws in recent years. The data strongly suggests that exploitation was widespread almost immediately after disclosure.

Key lessons:

  1. Setup and initialization endpoints must be strictly authenticated — even "one-time" setup flows should require strong access control; otherwise they become permanent backdoors.
  2. Internet-facing admin interfaces are high-value targets — print-management software is often overlooked during attack-surface reviews, yet it frequently runs with elevated privileges.

References

Frequently asked questions

What is CVE-2023-27350?
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
How severe is CVE-2023-27350?
CVE-2023-27350 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-27350 being actively exploited?
Yes. CVE-2023-27350 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-04-21, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-27350?
CVE-2023-27350 primarily affects Papercut Papercut Mf. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-27350?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-27350 have an EU (EUVD) identifier?
Yes. CVE-2023-27350 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-31126. It is also flagged as exploited in the EUVD (since 2023-04-21).
When was CVE-2023-27350 published?
CVE-2023-27350 was published on 2023-04-20 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Papercut Papercut Mf

All CVEs affecting Papercut Papercut Mf →

Other CWE-284 (Improper Access Control) vulnerabilities

Browse all CWE-284 (Improper Access Control) vulnerabilities →