Active Exploitation of Critical Vulnerability in PaperCut MF (Multifunction) and NG (Next Generation)

Published on 15 May 2023 | Updated on 15 May 2023

There are reports of active exploitation of a critical vulnerability (CVE-2023-27350) in PaperCut MF (Multifunction) and NG (Next Generation). PaperCut MF and NG are print management solutions employed to manage and control printing and copying activities within users’ networked printing environments.

Successful exploitation of the vulnerability could allow an unauthenticated threat actor to perform remote code execution (RCE) on PaperCut application servers. The vulnerability is also reportedly being exploited to deploy ransomware on users’ network.

Efforts to detect exploitation attempts should focus on the following three key areas:

  • Network traffic signatures – Look for anomalous network traffic attempting to access the "SetupCompleted" page of an exposed and vulnerable PaperCut server.
  • System monitoring – Look for child processes spawned from a PaperCut server’s "pc-app.exe" process.
  • Server settings and log files – Look for evidence of malicious activities in PaperCut server settings and log files.

The vulnerability affects the following versions of PaperCut:

  • version 8.0.0 to 19.2.7 (inclusive)
  • version 20.0.0 to 20.1.6 (inclusive)
  • version 21.0.0 to 21.2.10 (inclusive)
  • version 22.0.0 to 22.0.8 (inclusive)

Users and administrators of affected product versions are advised to update to the latest version immediately. 

    More information is available here:

    https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#product-status-and-next-steps

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a

    Tags
    Alerts Alerts & Advisories
    Share