CVE-2023-27350: PaperCut MF/NG — Authentication Bypass RCE

Background

PaperCut MF and NG are enterprise print management solutions used by universities, government agencies, hospitals, and businesses to track, control, and manage printing. They’re installed in thousands of organisations globally, often on internal servers that may be internet-facing for remote management or cloud-connected printing workflows.

CVE-2023-27350 was patched by PaperCut in March 2023 but exploitation began in mid-April 2023, when threat actors began mass scanning and exploiting unpatched servers. The fact that it hits education and healthcare particularly hard — sectors notorious for slow patching — made it especially damaging. CISA and the FBI jointly published an advisory, and ransomware groups were actively using it within weeks of exploitation going public.

Technical Mechanism

PaperCut’s application server exposes a setup wizard and administrative interface. The authentication bypass in CVE-2023-27350 exploits a flaw in how the application validates requests to the /app path and the SetupCompleted check.

The application’s built-in setup interface, accessible at specific paths, doesn’t correctly verify that setup has been completed and that requests are coming from an authenticated administrator. By manipulating request paths, an attacker can:

1. Access administrative functionality without valid credentials
2. Use the admin panel’s script execution feature — PaperCut includes a “Scripting” tab that allows admins to run arbitrary Java or JavaScript code server-side
3. Execute OS commands through the scripting feature using Runtime.getRuntime().exec() or similar Java API calls

The exploit flow is:

1. Send a crafted GET request to bypass authentication
2. Navigate to the Application Server’s scripting feature
3. Submit a malicious script that executes an OS command (e.g., download and run a payload)

Proof of concept exploits were publicly available within days of the vulnerability becoming widely known in April 2023.

Real-World Exploitation Evidence

Exploitation was rapid and broad. Key campaigns:

• Cl0p ransomware — attributed by Microsoft Threat Intelligence to exploiting CVE-2023-27350 to gain initial access, then deploying Cl0p ransomware; this was the same group responsible for MOVEit Transfer attacks
• LockBit ransomware affiliates — multiple LockBit affiliates adopted this vulnerability for initial access
• Lazarus Group (North Korea) — FBI/CISA advisory attributed exploitation to Lazarus Group, who used it to deploy espionage implants rather than ransomware, targeting technology and energy companies
• VoidRabbit / TA505 — financially motivated group using access for follow-on activity

The education sector was hit particularly hard, with several US universities reporting compromises. Healthcare organisations were also targeted.

Impact Assessment

• Remote code execution as SYSTEM/root — the application server typically runs as a high-privileged service account
• Ransomware deployment — multiple ransomware families directly attributed to this vulnerability
• Data theft — PaperCut stores information about print jobs including document content in some configurations, plus user data and network configuration
• Lateral movement — compromised application servers provide a pivot point into the broader network
• Persistence — attackers installed scheduled tasks, modified startup items, and deployed remote access trojans for persistent access

Affected Versions

Remediation Steps

1. Update to PaperCut MF/NG version 20.1.7, 21.2.11, or 22.0.9 or later immediately
2. If patching is delayed, apply the available workarounds:
   • Restrict access to the admin interface to localhost and trusted IP ranges only
   • Block external access to ports 9191 and 9192 (default PaperCut ports)
3. Check for signs of compromise in PaperCut’s logs:
   • Look in [PaperCut install dir]/server/logs/ for unusual access patterns
   • Check for script execution events in the application log
4. Look for newly created local or domain accounts
5. Check scheduled tasks and startup items for unexpected entries:

   Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-30)}

6. Scan for remote access tools (AnyDesk, ConnectWise, Cobalt Strike beacons)
7. Review network connections from the PaperCut server for unusual outbound connections

Detection Guidance

PaperCut logs — found in [install dir]/server/logs/server.log. Look for:

• Access to /app?service=page/SetupCompleted or similar paths
• Script execution events, particularly those invoking system commands
• Login attempts from unexpected IP addresses

Windows Event Logs:

• New process creation (Event ID 4688) spawned from the PaperCut service
• New local account creation (Event ID 4720)
• Scheduled task creation (Event ID 4698)

Network monitoring — PaperCut servers should not be initiating connections to random external IPs; any such connection should be investigated.

Suricata signature:

alert http any any -> any $HTTP_PORTS (msg:"PaperCut CVE-2023-27350 Auth Bypass Attempt"; flow:established,to_server; http.uri; content:"/app"; http.uri; content:"SetupCompleted"; distance:0; classtype:web-application-attack; sid:2034008; rev:1;)

Timeline