• Language chooser
    • USA (English)
    • France (Français)
    • Italy (Italiano)
    • Latin America (Español)
    • Brazil (Portugués)
    • Germany (Deutsch)
    • Korea (한국어)
    • Japan (Beta) (日本語)

PaperCut MF/NG Improper Access Control Vulnerability

Released: Apr 26, 2023


High Severity

Vulnerability, Attack Type


Critical vulnerability in PaperCut Print Management Server exploited in the wild

CVE-2023-27350 allows for an unauthenticated attacker to execute Remote Code Execution (RCE) on a PaperCut Application Server. Vulnerability exists within the SetupCompleted class and according to the vendor, this could be achieved remotely and without the need to log in. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-27350

Background

Papercut offers a print management system called PaperCut MF/NG, which provides print monitoring and control capabilities. Successful exploitation of this security defect allows a remote, unauthenticated attacker to bypass authentication and execute arbitrary code with system privileges. The software supports a wide range of different printers, scanners, and other devices of that purpose and according to Shodan search, there are approximately 1700 internet exposed PaperCut servers.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


January 10, 2023: Zero Day Initiative disclosed the vulnerabilities to PaperCut.
https://www.zerodayinitiative.com/advisories/ZDI-23-233/
https://www.zerodayinitiative.com/advisories/ZDI-23-232/

March 8, 2023: PaperCut released a patch and advises to immediately upgrade PaperCut Application Servers to one of the fixed versions provided.
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219


April 19, 2023: Vendor reported unpatched servers are being exploited in the wild, particularly the flaw CVE-2023–27350.

April 24, 2023: CISA added CVE-2023-27350 to its known exploited catalog (KEV).

Both vulnerabilities (CVE-2023-27350, CVE-2023–27351) have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. FortiGuard Labs has released an IPS signature to detect and block attacks leveraging (CVE-2023-27350) which has been seen to be exploited in the wild. According to PaperCut, there is no evidence that CVE-2023-27351 is being used in the wild. However, it is strongly advised to apply patches for both immediately if not already done.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • Vulnerability

  • IPS

DETECT
  • IOC

RESPOND
  • Assisted Response Services

  • Automated Response

RECOVER
  • InfoSec Services

IDENTIFY
  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
asq.r77vh0.pw domain Active
asq.d6shiiwz.pw domain Active
http://asq.r77vh0.pw/win/checking.hta url Active
https://asq.d6shiiwz.pw/win/hssl/d6.hta url Active
https://asq.r77vh0.pw/win/hssl/r7.hta url Active
4.tcp.ngrok.io domain Active
asd.s7610rir.pw domain Active
asq.swhw71un.pw domain Active
d6shiiwz.pw domain Active
s7610rir.pw domain Active
swhw71un.pw domain Active
83.97.20.81 ip Active
http://83.97.20.81/win/checking.ps1 url Active
912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec... file Active
192.160.102.164 ip Active
5.188.206.14 ip Active
5.188.86.237 ip Active
159.65.42.223 ip Active
r77vh0.pw domain Active
83.97.20.81:80 ip Active
5.188.86.237:443 ip Active
https://5.188.86.237/functionalStatus/2JYbAmfY5... url Active
http://5.188.86.237/vmware.exe url Active
185.254.37.236 ip Active
upd343.winserverupdates.com domain Active
ber6vjyb.com domain Active
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af... file Active
216.122.175.114 ip Active
winserverupdates.com domain Active
http://upd488.windowservicecemter.com/download/ld.txt url Active
upd488.windowservicecemter.com domain Active
http://50.19.48.59:82/me1.bat url Active
anydeskupdate.com domain Active
anydeskupdates.com domain Active
f9947c5763542b3119788923977153ff8ca807a2e535e6a... file Active
http://upd488.windowservicecemter.com/download/a2.msi url Active
http://upd488.windowservicecemter.com/download/a3.msi url Active
http://upd488.windowservicecemter.com/download/... url Active
http://upd488.windowservicecemter.com/download/... url Active
netviewremote.com domain Active
updateservicecenter.com domain Active
windowcsupdates.com domain Active
windowservicecemter.com domain Active
windowservicecentar.com domain Active
windowservicecenter.com domain Active
00ec44df6487faf9949cebee179bafe8377ca4417736766... file Active
0ce7c6369c024d497851a482e011ef1528ad270e83995d5... file Active
1097975f1dede47a8ef80bab26c6fed7e3db70f033ad86e... file Active
38d2f150616fa1b2a989a3b97edf07bf13948441f49709f... file Active
3b326a3e4f0a03db859feeed7e4e3a832acdaeaf8b2cd69... file Active
45729491ec4ae2065672e6d93a3aa7533a8058cecb8fcdb... file Active
487d47985cddf204a94cfd41bd2d89798cdc03c4df8a582... file Active
582b72bb0f0088aaad17f3aeab98654ede6fed18b5c7f48... file Active
abroad.ge domain Active
cdn-backdl.com domain Active
d8d49f34f57ce54da60a0d2edf8c7924525b1dd1dcccdea... file Active
http://137.184.56.77:443/c.bat url Active
http://137.184.56.77:443/for.ps1 url Active
http://159.65.42.223/r/ppc/02E663CA8C405746/ url Active
http://185.254.37.173:443/8a293f2ddb634472a3e8b... url Active
http://185.254.37.236/ppc url Active
http://192.184.35.216:443/4591187629.exe url Active
http://23.184.48.17/bootcamp.zip url Active
http://4.tcp.ngrok.io:14573/ url Active
http://45.159.248.244:8000/wow url Active
http://study.abroad.ge:443/ url Active
http://study.abroad.ge:443/wp-content/stuff/win... url Active
http://upd488.windowservicecemter.com/download/... url Active
jojojovan1.com domain Active
jojojovan2.com domain Active
137.184.56.77 ip Active
137.184.56.77:443 ip Active
185.254.37.173 ip Active
192.184.35.216 ip Active
192.184.35.216:443 ip Active
23.184.48.17 ip Active
45.159.248.244 ip Active
45.159.248.244:8000 ip Active
https://tmpfiles.org/dl/1337855/enc.txt url Active
102.130.112.157 ip Active
172.106.112.46 ip Active
194.87.82.7 ip Active
195.123.246.20 ip Active
46.4.20.30 ip Active
5.8.18.233 ip Active
80.94.95.103 ip Active
89.105.216.106 ip Active
89.105.216.106:443 ip Active
92.118.36.199 ip Active
92.118.36.199:443 ip Active
92.118.36.199:9100 ip Active
study.abroad.ge domain Active
20.229.231.224 ip Active
20.229.231.224:53694 ip Active
dbb80ac555af343629e99b423eae2aa8923862984da0f0b... file Active
45.92.1.60:5111 ip Active
45.92.1.60 ip Active
5913f55b48b69bfb1da9fb39fb7b8509266922531da20fc... file Active
190.2.141.128 ip Active
5.188.86.237:8080 ip Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0