CVE-2023-27351
CVE-2023-27351 is a high-severity vulnerability in Papercut Papercut Mf with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-04-20). The underlying weakness is classified as CWE-287.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 78% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-04-20)
- EU (EUVD) id: EUVD-2023-31127
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-04-20)
- Weakness: CWE-287
- Affected product: Papercut Papercut Mf
- Published:
- Last modified:
Description
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
CVE-2023-27351: PaperCut NG/MF Authentication Bypass via SecurityRequestFilter
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2023-27351 |
| CVSS v3 | 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| EPSS | 78.42% (99.53rd percentile) |
| KEV | Yes (CISA KEV, EUVD-2023-31127) |
| CWE | CWE-287: Improper Authentication |
| Published | 2023-04-20 |
| Vendor | PaperCut |
Summary
CVE-2023-27351 is an authentication bypass vulnerability in PaperCut NG and PaperCut MF. The flaw resides in the SecurityRequestFilter class, where an improper implementation of the authentication algorithm allows unauthenticated remote attackers to bypass authentication controls entirely. This vulnerability was reported through the Zero Day Initiative as ZDI-CAN-19226.
Background
PaperCut NG and PaperCut MF are widely deployed print management solutions used by educational institutions, enterprises, and government organizations to manage printing, track usage, and control costs. The web-based administration interface and user portal are core components of the product suite. The SecurityRequestFilter class is a critical security component responsible for enforcing authentication on incoming HTTP requests to protected endpoints.
Root Cause
The vulnerability is classified under CWE-287: Improper Authentication. The root cause stems from a flawed implementation of the authentication algorithm within the SecurityRequestFilter class. Specifically, the filter fails to correctly validate authentication state under certain request conditions, allowing requests to proceed without proper credential verification. This represents a logic flaw in the authentication enforcement layer rather than a memory corruption or injection weakness.
Impact
With a CVSS v3.1 score of 7.5 (HIGH), this vulnerability poses a significant risk:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the internet |
| Attack Complexity | Low | No special conditions or advanced techniques required |
| Privileges Required | None | No valid credentials needed |
| User Interaction | None | Fully automated exploitation possible |
| Scope | Unchanged | Impact limited to the vulnerable component |
| Confidentiality | High | Sensitive data and configuration accessible |
| Integrity | None | No direct data modification capability |
| Availability | None | No direct denial-of-service impact |
The primary impact is unauthorized information disclosure. An attacker bypassing authentication may gain access to print logs, user directories, configuration settings, and potentially administrative functions depending on the endpoint reached.
Exploitation Walkthrough
Ethics Notice: The following describes the vulnerability mechanism from a defensive perspective. No weaponized exploit code is provided. Organizations should use this information to understand attack surface and improve detection capabilities.
The vulnerability is triggered by sending a specially crafted HTTP request to a protected endpoint in the PaperCut web interface. Due to the logic flaw in SecurityRequestFilter, the request is processed without completing the authentication check. Because the flaw exists at the filter level, it potentially affects multiple endpoints that rely on this component for access control.
Defensive considerations:
- The attack is stateless and does not require session establishment or credential guessing.
- Exploitation leaves no failed login attempts in standard authentication logs, making detection reliant on behavioral or access-pattern monitoring.
- The low attack complexity and lack of prerequisite privileges make this highly attractive to opportunistic and targeted threat actors alike.
Affected and Patched Versions
Affected Products:
- PaperCut MF (versions prior to the security patch)
- PaperCut NG (versions prior to the security patch)
Specifically, PaperCut NG 22.0.5 (Build 63914) was confirmed vulnerable at the time of disclosure.
Patched Versions:
PaperCut released security updates to address this vulnerability. Administrators should consult the official PaperCut security advisory for exact patched build numbers:
Remediation
-
Upgrade Immediately: Apply the latest security patches from PaperCut as documented in PO-1216 and PO-1219. This is the primary and most effective remediation.
-
Network Segmentation: Restrict access to PaperCut web interfaces (administration and user portals) to trusted internal networks only. Do not expose these interfaces directly to the internet.
-
Web Application Firewall (WAF): Deploy or update WAF rules to detect anomalous request patterns targeting authentication endpoints. While a generic signature may be difficult, strict input validation and path-based access controls can reduce exposure.
-
Monitor for Indicators: Review access logs for unusual patterns of successful access to administrative endpoints from unexpected source IPs or without preceding login events.
Detection
- Behavioral Monitoring: Alert on successful HTTP 200 responses to admin-protected paths without preceding successful authentication events (e.g., missing login page visits or session cookie establishment).
- Network Traffic Analysis: Monitor for direct access to
/adminor equivalent protected paths from external IP addresses, especially where no VPN or proxy trail exists. - EPSS Correlation: With an EPSS score of 0.7842 (99.53rd percentile), this vulnerability is in the highest tier of exploitation probability. Security teams should prioritize scanning and patching activities accordingly.
Assessment
CVE-2023-27351 is a textbook example of how a single logic flaw in an authentication filter can nullify an application's entire access control model. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog and the EUVD (EUVD-2023-31127) underscores active exploitation in the wild.
Key takeaways:
- Authentication logic must be exhaustively tested against edge cases and malformed requests; filters are high-value targets because a single bypass affects all downstream endpoints.
- EPSS and KEV status should drive prioritization. With a 78.42% probability of exploitation and confirmed active use by threat actors, this vulnerability demands immediate attention regardless of an organization's perceived risk appetite.
References
Frequently asked questions
- What is CVE-2023-27351?
- This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
- How severe is CVE-2023-27351?
- CVE-2023-27351 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2023-27351 being actively exploited?
- Yes. CVE-2023-27351 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-04-20, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-27351?
- CVE-2023-27351 primarily affects Papercut Papercut Mf. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-27351?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-27351 have an EU (EUVD) identifier?
- Yes. CVE-2023-27351 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-31127. It is also flagged as exploited in the EUVD (since 2026-04-20).
- When was CVE-2023-27351 published?
- CVE-2023-27351 was published on 2023-04-20 and last updated on 2026-06-17.
References
- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
- https://www.zerodayinitiative.com/advisories/ZDI-23-232/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27351
Affected products (2)
- cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
- cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
More vulnerabilities in Papercut Papercut Mf
- CVE-2023-39143 — Critical (CVSS 9.8): PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or…
- CVE-2023-27350 — Critical (CVSS 9.8): This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5…
- CVE-2019-12135 — Critical (CVSS 9.8): An unspecified vulnerability in the application server in PaperCut MF and NG versions 18.3.8 and earlier and versions…
- CVE-2019-8948 — Critical (CVSS 9.8): PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
- CVE-2024-1222 — High (CVSS 8.6): This allows attackers to use a maliciously formed API request to gain access to an API authorization level with…
- CVE-2023-2533 — High (CVSS 8.4): A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific…
All CVEs affecting Papercut Papercut Mf →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →