CVE-2023-27351

CVE-2023-27351 is a high-severity vulnerability in Papercut Papercut Mf with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-04-20). The underlying weakness is classified as CWE-287.

Key facts

Description

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.

CVE-2023-27351: PaperCut NG/MF Authentication Bypass via SecurityRequestFilter

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2023-27351
CVSS v3 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS 78.42% (99.53rd percentile)
KEV Yes (CISA KEV, EUVD-2023-31127)
CWE CWE-287: Improper Authentication
Published 2023-04-20
Vendor PaperCut

Summary

CVE-2023-27351 is an authentication bypass vulnerability in PaperCut NG and PaperCut MF. The flaw resides in the SecurityRequestFilter class, where an improper implementation of the authentication algorithm allows unauthenticated remote attackers to bypass authentication controls entirely. This vulnerability was reported through the Zero Day Initiative as ZDI-CAN-19226.

Background

PaperCut NG and PaperCut MF are widely deployed print management solutions used by educational institutions, enterprises, and government organizations to manage printing, track usage, and control costs. The web-based administration interface and user portal are core components of the product suite. The SecurityRequestFilter class is a critical security component responsible for enforcing authentication on incoming HTTP requests to protected endpoints.

Root Cause

The vulnerability is classified under CWE-287: Improper Authentication. The root cause stems from a flawed implementation of the authentication algorithm within the SecurityRequestFilter class. Specifically, the filter fails to correctly validate authentication state under certain request conditions, allowing requests to proceed without proper credential verification. This represents a logic flaw in the authentication enforcement layer rather than a memory corruption or injection weakness.

Impact

With a CVSS v3.1 score of 7.5 (HIGH), this vulnerability poses a significant risk:

Metric Value Implication
Attack Vector Network Exploitable remotely over the internet
Attack Complexity Low No special conditions or advanced techniques required
Privileges Required None No valid credentials needed
User Interaction None Fully automated exploitation possible
Scope Unchanged Impact limited to the vulnerable component
Confidentiality High Sensitive data and configuration accessible
Integrity None No direct data modification capability
Availability None No direct denial-of-service impact

The primary impact is unauthorized information disclosure. An attacker bypassing authentication may gain access to print logs, user directories, configuration settings, and potentially administrative functions depending on the endpoint reached.

Exploitation Walkthrough

Ethics Notice: The following describes the vulnerability mechanism from a defensive perspective. No weaponized exploit code is provided. Organizations should use this information to understand attack surface and improve detection capabilities.

The vulnerability is triggered by sending a specially crafted HTTP request to a protected endpoint in the PaperCut web interface. Due to the logic flaw in SecurityRequestFilter, the request is processed without completing the authentication check. Because the flaw exists at the filter level, it potentially affects multiple endpoints that rely on this component for access control.

Defensive considerations:

  • The attack is stateless and does not require session establishment or credential guessing.
  • Exploitation leaves no failed login attempts in standard authentication logs, making detection reliant on behavioral or access-pattern monitoring.
  • The low attack complexity and lack of prerequisite privileges make this highly attractive to opportunistic and targeted threat actors alike.

Affected and Patched Versions

Affected Products:

  • PaperCut MF (versions prior to the security patch)
  • PaperCut NG (versions prior to the security patch)

Specifically, PaperCut NG 22.0.5 (Build 63914) was confirmed vulnerable at the time of disclosure.

Patched Versions:
PaperCut released security updates to address this vulnerability. Administrators should consult the official PaperCut security advisory for exact patched build numbers:

Remediation

  1. Upgrade Immediately: Apply the latest security patches from PaperCut as documented in PO-1216 and PO-1219. This is the primary and most effective remediation.

  2. Network Segmentation: Restrict access to PaperCut web interfaces (administration and user portals) to trusted internal networks only. Do not expose these interfaces directly to the internet.

  3. Web Application Firewall (WAF): Deploy or update WAF rules to detect anomalous request patterns targeting authentication endpoints. While a generic signature may be difficult, strict input validation and path-based access controls can reduce exposure.

  4. Monitor for Indicators: Review access logs for unusual patterns of successful access to administrative endpoints from unexpected source IPs or without preceding login events.

Detection

  • Behavioral Monitoring: Alert on successful HTTP 200 responses to admin-protected paths without preceding successful authentication events (e.g., missing login page visits or session cookie establishment).
  • Network Traffic Analysis: Monitor for direct access to /admin or equivalent protected paths from external IP addresses, especially where no VPN or proxy trail exists.
  • EPSS Correlation: With an EPSS score of 0.7842 (99.53rd percentile), this vulnerability is in the highest tier of exploitation probability. Security teams should prioritize scanning and patching activities accordingly.

Assessment

CVE-2023-27351 is a textbook example of how a single logic flaw in an authentication filter can nullify an application's entire access control model. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog and the EUVD (EUVD-2023-31127) underscores active exploitation in the wild.

Key takeaways:

  1. Authentication logic must be exhaustively tested against edge cases and malformed requests; filters are high-value targets because a single bypass affects all downstream endpoints.
  2. EPSS and KEV status should drive prioritization. With a 78.42% probability of exploitation and confirmed active use by threat actors, this vulnerability demands immediate attention regardless of an organization's perceived risk appetite.

References

Frequently asked questions

What is CVE-2023-27351?
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
How severe is CVE-2023-27351?
CVE-2023-27351 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2023-27351 being actively exploited?
Yes. CVE-2023-27351 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-04-20, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-27351?
CVE-2023-27351 primarily affects Papercut Papercut Mf. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-27351?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-27351 have an EU (EUVD) identifier?
Yes. CVE-2023-27351 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-31127. It is also flagged as exploited in the EUVD (since 2026-04-20).
When was CVE-2023-27351 published?
CVE-2023-27351 was published on 2023-04-20 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Papercut Papercut Mf

All CVEs affecting Papercut Papercut Mf →

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →