PaperCut Remote Code Execution Vulnerability (CVE-2023–27350) Exploited in the Wild

Description

UPDATE 04/26/2023: Updated protection section for IPS protection.


FortiGuard Labs is aware that a recently disclosed vulnerability in PaperCut MF/NG (CVE-2023-27350) is susceptible to a remote code execution attack and is currently being exploited in the wild. Various remote management and maintenance software and Truebot malware were reportedly to have been deployed to unpatched severs. As such, patches should be applied as soon as possible.


PaperCut NG is a print management software that helps organizations manage printing within their environment. It provides tools for monitoring printer usage, setting policies, and controlling access to resources. PaperCut NG is compatible with a wide range of printers, copiers, and multi-function devices and can be installed on various operating systems such as Windows, Linux, and macOS. The MF version shares the same codebase, but allows for support of multifunction devices.


What is CVE-2023-27350?

CVE-2023-27350 is a Remote Code Execution (RCE) vulnerability that allows an attacker to bypass authentication and remotely execute malicious code on unpatched servers.


What is the CVSS Score?

The vulnerability has a CVSS base score of 9.8.


Is CVE-2023-27350 being Exploited in the Wild?

PaperCut confirms the vulnerability is being exploited in the wild. Furthermore, known remote management, maintenance software and the Truebot malware were reported deployed on vulnerable servers. The Clop ransomware threat actor is believed to have used the Truebot malware in their attacks in this latest attack.


Has the Vendor Released an Advisory for CVE-2023-27350?

Yes, a vendor advisory is available. Please refer to the Appendix for a link to "URGENT | PaperCut MF/NG vulnerability bulletin (March 2023)".


Has the Vendor Released a Patch for CVE-2023-27350?

Yes, PaperCut has released a patch for CVE-2023-27350 for PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. Please refer to the "URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) (PaperCut)" in the APPENDIX for further details.


Which Versions of PaperCut are Vulnerable to CVE-2023-27350?

According to the advisory, PaperCut MF or NG version 8.0 or later on all OS platforms are vulnerable.


What is the Status of Protection?

FortiGuard Labs has the following AV coverage in place for the known remote management and maintenance software deployed on servers after exploitation of CVE-2023-27350 as:

  • W64/Agent.CGW!tr
  • Riskware/RemoteAdmin

FortiGuard Labs has released the following IPS signature for CVE-2023-27350 in version 23.541:

  • PaperCut.NG.SetupCompleted.Authentication.Bypass (default action is set to "pass")


All reported network IOCs related to the post-exploitation activities are blocked by Webfiltering. FortiGuard Labs is currently investigating additional coverage and will update this Threat Signal when new information becomes available.


Any Suggested Mitigation?

The PaperCut advisory contains detailed mitigation and work arounds. Please refer to the "URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) (PaperCut)" in the APPENDIX for further details.

description-logoOutbreak Alert

An unauthenticated attacker can perform a Remote Code Execution (RCE) on a vulnerable PaperCut Application Server. According to the vendor, the specific flaw exists within the SetupCompleted class and could be achieved remotely without authentication. PaperCut MF/NG Improper Access Control Vulnerability (CVE-2023-27350) has been seen exploited in the wild.

View the full Outbreak Alert Report

Telemetry