Project Hyphae

PaperCut Print Management Servers Get Sliced Again

Share This Post

Horizon3 researchers have discovered a new flaw with PaperCut NG/MF print management software, currently tracked as CVE-2023-39143. The vulnerability does not have a CVSS score yet, but is categorized as “Very Critical.” In particular, this flaw affects Papercut servers running on Windows. It enables unauthenticated attackers to read, delete, and/or upload files to the server, potentially resulting in remote code execution in instances where the “External Device Integration” setting is enabled. (This setting is “ON” by default in most installations.) It is estimated that this vulnerability currently affects the vast majority of PaperCut customers. PaperCut and Horizon3 recommend upgrading to the latest version of their print management software, PaperCut NG/MF version 22.1.3.

PaperCut servers have been a popular target for criminals since Spring. On April 20th, 2023, another CVE was published, CVE-2023-27350, with a severity rating of 9.8 out of 10. The following month, Microsoft Threat Intelligence and the Cybersecurity and Infrastructure Security Agency (CISA) released separate advisories indicating that attacks utilizing this vulnerability against unpatched instances of PaperCut had expanded to malicious actors from all across the globe, including known ransomware gangs and state agencies. Similar to this earlier vulnerability, attackers can manipulate files without the need for any authentication or user interaction.

If immediately upgrading is not possible due to production or required uptime, it is recommended that network access be configured to segregate vulnerable PaperCut servers from any resources that are not absolutely necessary. Additionally, threat-hunting in any environments where a vulnerable server was present should be conducted, even after patching and/or segregating.

To read Horizon3’s full report, including commands to check if your version of PaperCut is vulnerable, visit:
Microsoft’s original advisory regarding CVE-2023-27350:
CISA’s original advisory regarding CVE-2023-27350:

Reach out to our incident response team for help

More To Explore

Information Security News 9-18-2023

Iranian Cyberspies Target Thousands of Organizations with Password Spray Attacks Article Link: Requests via Facebook Messenger Lead to Hijacked Business Accounts Article Link:

Information Security News 9-11-2023

University of Michigan Requires Password Resets After Cyberattack Article Link: Attackers Accessed UK Military Data Through High-Security Fencing Firm’s Windows 7 Rig Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.