• Language chooser
    • USA (English)
    • France (Français)
    • Italy (Italiano)
    • Latin America (Español)
    • Brazil (Portugués)
    • Germany (Deutsch)
    • Korea (한국어)
    • Japan (Beta) (日本語)

PaperCut MF/NG Improper Access Control Vulnerability

Released: Apr 26, 2023

High Severity

Vulnerability, Attack Type

Critical vulnerability in PaperCut Print Management Server exploited in the wild

CVE-2023-27350 allows for an unauthenticated attacker to execute Remote Code Execution (RCE) on a PaperCut Application Server. Vulnerability exists within the SetupCompleted class and according to the vendor, this could be achieved remotely and without the need to log in. Learn More »

Common Vulnerabilities and Exposures



Papercut offers a print management system called PaperCut MF/NG, which provides print monitoring and control capabilities. Successful exploitation of this security defect allows a remote, unauthenticated attacker to bypass authentication and execute arbitrary code with system privileges. The software supports a wide range of different printers, scanners, and other devices of that purpose and according to Shodan search, there are approximately 1700 internet exposed PaperCut servers.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.

January 10, 2023: Zero Day Initiative disclosed the vulnerabilities to PaperCut.

March 8, 2023: PaperCut released a patch and advises to immediately upgrade PaperCut Application Servers to one of the fixed versions provided.

April 19, 2023: Vendor reported unpatched servers are being exploited in the wild, particularly the flaw CVE-2023–27350.

April 24, 2023: CISA added CVE-2023-27350 to its known exploited catalog (KEV).

Both vulnerabilities (CVE-2023-27350, CVE-2023–27351) have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. FortiGuard Labs has released an IPS signature to detect and block attacks leveraging (CVE-2023-27350) which has been seen to be exploited in the wild. According to PaperCut, there is no evidence that CVE-2023-27351 is being used in the wild. However, it is strongly advised to apply patches for both immediately if not already done.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.

  • Vulnerability

  • IPS

  • IOC

  • Assisted Response Services

  • Automated Response

  • InfoSec Services

  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.

Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
asq.r77vh0.pw domain Active
asq.d6shiiwz.pw domain Active
http://asq.r77vh0.pw/win/checking.hta url Active
https://asq.d6shiiwz.pw/win/hssl/d6.hta url Active
https://asq.r77vh0.pw/win/hssl/r7.hta url Active
4.tcp.ngrok.io domain Active
asd.s7610rir.pw domain Active
asq.swhw71un.pw domain Active
d6shiiwz.pw domain Active
s7610rir.pw domain Active
swhw71un.pw domain Active ip Active url Active
912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec... file Active ip Active ip Active ip Active ip Active
r77vh0.pw domain Active ip Active ip Active url Active url Active ip Active
upd343.winserverupdates.com domain Active
ber6vjyb.com domain Active
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af... file Active ip Active
winserverupdates.com domain Active
http://upd488.windowservicecemter.com/download/ld.txt url Active
upd488.windowservicecemter.com domain Active url Active
anydeskupdate.com domain Active
anydeskupdates.com domain Active
f9947c5763542b3119788923977153ff8ca807a2e535e6a... file Active
http://upd488.windowservicecemter.com/download/a2.msi url Active
http://upd488.windowservicecemter.com/download/a3.msi url Active
http://upd488.windowservicecemter.com/download/... url Active
http://upd488.windowservicecemter.com/download/... url Active
netviewremote.com domain Active
updateservicecenter.com domain Active
windowcsupdates.com domain Active
windowservicecemter.com domain Active
windowservicecentar.com domain Active
windowservicecenter.com domain Active
00ec44df6487faf9949cebee179bafe8377ca4417736766... file Active
0ce7c6369c024d497851a482e011ef1528ad270e83995d5... file Active
1097975f1dede47a8ef80bab26c6fed7e3db70f033ad86e... file Active
38d2f150616fa1b2a989a3b97edf07bf13948441f49709f... file Active
3b326a3e4f0a03db859feeed7e4e3a832acdaeaf8b2cd69... file Active
45729491ec4ae2065672e6d93a3aa7533a8058cecb8fcdb... file Active
487d47985cddf204a94cfd41bd2d89798cdc03c4df8a582... file Active
582b72bb0f0088aaad17f3aeab98654ede6fed18b5c7f48... file Active
abroad.ge domain Active
cdn-backdl.com domain Active
d8d49f34f57ce54da60a0d2edf8c7924525b1dd1dcccdea... file Active url Active url Active url Active url Active url Active url Active url Active
http://4.tcp.ngrok.io:14573/ url Active url Active
http://study.abroad.ge:443/ url Active
http://study.abroad.ge:443/wp-content/stuff/win... url Active
http://upd488.windowservicecemter.com/download/... url Active
jojojovan1.com domain Active
jojojovan2.com domain Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active
https://tmpfiles.org/dl/1337855/enc.txt url Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active
study.abroad.ge domain Active ip Active ip Active
dbb80ac555af343629e99b423eae2aa8923862984da0f0b... file Active ip Active ip Active
5913f55b48b69bfb1da9fb39fb7b8509266922531da20fc... file Active ip Active ip Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days


Avg 0