On Friday, April 21, 2023, CISA added CVE-2023-27350 (a critical unauthenticated remote code execution vulnerability) impacting PaperCut MF and PaperCut NG to the Known Exploited Vulnerabilities (KEV) list.  PaperCut MF and PaperCut NG are both enterprise printer management software. 

Originally ZDI-23-233, CVE-2023-27350 (CVSS 9.8) impacts both application servers and site servers for PaperCut MF and NG version 8.0 or later, according to PaperCut, and have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later.


PAPERCUT RCE ATTEMPT | CISA KEV UPDATE: CVE-2023-27350


PAPERCUT AUTHENTICATION BYPASS CHECK | CISA KEV UPDATE: CVE-2023-27350


The inclusion of this vulnerability on the KEV list implies that exploitation has been confirmed in the wild. Additionally, the PaperCut advisory also points out reports of exploitation dating back to April 13, 2023, 15:29 UTC.  

GreyNoise has published two tags related to this PaperCut vulnerability:

  • PaperCut RCE Attempt: IP addresses with this tag have been observed attempting to exploit CVE-2023-27350, an authentication bypass vulnerability in PaperCut MF/NG that could result in remote code execution.
  • PaperCut Authentication Bypass Check: IP addresses with this tag have been observed checking for the existence of CVE-2023-27350, an authentication bypass vulnerability in PaperCut MF/NG.

At the time of publication, GreyNoise has not observed mass exploitation for this vulnerability but has observed two IPs mass scanning for the vulnerability; this could be for a few reasons.  It could be that exploitation is happening in a more targeted fashion or simply because scanning for this vulnerability isn’t technically necessary as a specific Google search will return a few thousand hits which attackers can use to focus exploitation attempts on.

GreyNoise recommends that organizations that use PaperCut follow the vendor's guidance to upgrade and review systems for signs of compromise.  (This information is included in PaperCut’s advisory).

Sign up for a free GreyNoise account or request a demo to see how GreyNoise can help.

While signed in to GreyNoise, click below to set up a daily alert to be notified of new results.

  • Alert for “PaperCut RCE Attempt”
  • Alert for “PaperCut Authentication Bypass Check”

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account