CVE-2023-27350
published 2023-04-20CVE-2023-27350: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-05-12
Exploited in the wild
EPSS
100.00%
100.0th percentile
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| papercut | ng | — | — |
| papercut | papercut_mf | >= 21.0.0 < 21.2.11 | 21.2.11 |
| papercut | papercut_mf | >= 22.0.0 < 22.0.9 | 22.0.9 |
| papercut | papercut_mf | >= 8.0 < 20.1.7 | 20.1.7 |
| papercut | papercut_ng | >= 21.0.0 < 21.2.11 | 21.2.11 |
| papercut | papercut_ng | >= 22.0.0 < 22.0.9 | 22.0.9 |
| papercut | papercut_ng | >= 8.0 < 20.1.7 | 20.1.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →GreyNoise tag 'PaperCut RCE Attempt' identifies IPs actively attempting to exploit CVE-2023-27350; tag 'PaperCut Authentication Bypass Check' identifies IPs scanning for the vulnerability. ↗
- →The earliest confirmed exploitation activity in the wild dates to April 13–14, 2023; use this as a baseline for log review scope when investigating potential compromises. ↗
- ·The malicious payload was hosted on a temporary file-sharing site that auto-deletes uploads after 60 minutes, making payload retrieval and hash verification time-sensitive during incident response. ↗
- ·The YARA/process-creation rule for pc-app.exe spawning cmd.exe or powershell.exe may produce false positives due to legitimate administrator activity; tune accordingly. ↗
- ·CVE-2023-27350 affects PaperCut MF/NG version 8.0 or later on all OS platforms; both Application Servers and Site Servers are in scope. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cfg6-7x4x-p3pj: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG PaperCut NG 22
ghsa_unreviewed·2023-04-20
CVE-2023-27350 [CRITICAL] CWE-284 GHSA-cfg6-7x4x-p3pj: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG PaperCut NG 22
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
VulnCheck
PaperCut MF/NG Improper Access Control Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-27350 [CRITICAL] CWE-284 PaperCut MF/NG Improper Access Control Vulnerability
PaperCut MF/NG Improper Access Control Vulnerability
PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system.
Affected: PaperCut MF/NG
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; https://twitter.com/MsftSecIntel/status/1651346653901725696; https://twitter.com/MsftSecIntel/status/1651346664630755334; https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-p
CISA
PaperCut MF/NG Improper Access Control Vulnerability
cisa·2023-04-21·CVSS 9.8
CVE-2023-27350 [CRITICAL] CWE-284 PaperCut MF/NG Improper Access Control Vulnerability
Vulnerability: PaperCut MF/NG Improper Access Control Vulnerability
Affected: PaperCut MF/NG
PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system.
Required Action: Apply updates per vendor instructions.
Notes: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219; https://nvd.nist.gov/vuln/detail/CVE-2023-27350
Remediation Due Date: 2023-05-12
Suricata
ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)
suricata·2023-04-21·CVSS 9.8
CVE-2023-27350 [CRITICAL] ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)
ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page/SetupCompleted"; fast_pattern; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; reference:cve,2023-27350; classtype:attempted-admin; sid:2045130; rev:3; metadata:created_at 2023_04_21, cve CVE_2023_27350, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2024_09_30, mitre_tactic_id TA0001, mitre_tactic
Exploit-DB
PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)
exploitdb·2023-05-23·CVSS 9.8
CVE-2023-27350 [CRITICAL] PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)
PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)
---
# Exploit Title: PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)
# Date: 13 May 2023
# Exploit Author: Mohin Paramasivam (Shad0wQu35t) and MaanVader
# Vendor Homepage: https://www.papercut.com/
# Version: 8.0 or later
# Tested on: 22.0.4
# CVE: CVE-2023-27350
import requests
import argparse
Group_payload = {
"service":"direct/1/OptionsUserSync/$OptionsUserSource.$Form",
"sp":"S0",
"Form0":"$Hidden,$Hidden$0,$Hidden$1,$PropertySelection,$Hidden$2,$Hidden$3,$Hidden$4,$Hidden$5,$Hidden$6,$Hidden$7,$Hidden$8,$Hidden$9,$Hidden$10,$Hidden$11,$Hidden$12,$Hidden$13,$Hidden$14,$TextField,$TextField$0,$RadioGroup,$Submit,$Checkbox$2,primaryCardIdLength,$Checkbox$3,secondaryCardIdLength,$Checkbox$5,$Hidden$15,$Hidden$16,$Hidden$17,$Hidd
Exploit-DB
PaperCut NG/MG 22.0.4 - Authentication Bypass
exploitdb·2023-04-25·CVSS 9.8
CVE-2023-27350 [CRITICAL] PaperCut NG/MG 22.0.4 - Authentication Bypass
PaperCut NG/MG 22.0.4 - Authentication Bypass
---
# Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass
# Date: 21 April 2023
# Exploit Author: MaanVader
# Vendor Homepage: https://www.papercut.com/
# Version: 8.0 or later
# Tested on: 22.0.4
# CVE: CVE-2023-27350
import requests
from bs4 import BeautifulSoup
import re
def vuln_version():
ip = input("Enter the ip address: ")
url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted"
response = requests.get(url)
soup = BeautifulSoup(response.text, 'html.parser')
text_div = soup.find('div', class_='text')
product_span = text_div.find('span', class_='product')
# Search for the first span element containing a version number
version_span = None
for span in text_div.find_all('span'):
version_match = re.match(r'^\d+\.\d+\.\d+$',
Nuclei
PaperCut - Unauthenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-27350 [CRITICAL] PaperCut - Unauthenticated Remote Code Execution
PaperCut - Unauthenticated Remote Code Execution
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
Template:
id: CVE-2023-27350
info:
name: PaperCut - Unauthenticated Remote Code Execution
author: rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authenticati
Metasploit
PaperCut PaperCutNG Authentication Bypass
metasploit
PaperCut PaperCutNG Authentication Bypass
PaperCut PaperCutNG Authentication Bypass
This module leverages an authentication bypass in PaperCut NG. If necessary it updates Papercut configuration options, specifically the 'print-and-device.script.enabled' and 'print.script.sandboxed' options to allow for arbitrary code execution running in the builtin RhinoJS engine. This module logs at most 2 events in the application log of papercut. Each event is tied to modifcation of server settings.
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Qualys
Qualys Achieves 100% Detection in 2024 MITRE ATT&CK Evaluation | Qualys
blogs_qualys·2024-12-11
Qualys Achieves 100% Detection in 2024 MITRE ATT&CK Evaluation | Qualys
#### Table of Contents
- From Risk Leader to EDR Powerhouse: How Qualys Evolved
- Qualys Performance: Leading the Industry
- Low False Positives: Essential for Effective EDR
- Why MITRE ATT&CK Evaluation Matters
- Qualys Endpoint Detection & Response: A Top Solution
- More Than Detection: A Comprehensive Risk Management Approach
- Advanced Ransomware Mitigation: Protecting Against Worst-Case Scenarios
- Conclusion
## From Risk Leader to EDR Powerhouse: How Qualys Evolved
In today’s rapidly evolving threat landscape, ransomware continues to dominate as one of the most significant cybersecurity challenges. To help organizations evaluate their defenses against these sophisticated threats, the MITRE ATT&CK Evaluations provide a transparent, real-world assessment of security solutions.
The
Qualys
Qualys Achieves 100% Detection in the 2024 MITRE ATT&CK Evaluations for Enterprise
blogs_qualys·2024-12-11
Qualys Achieves 100% Detection in the 2024 MITRE ATT&CK Evaluations for Enterprise
## Table of Contents
From Risk Leader to EDR Powerhouse: How Qualys Evolved
Qualys Performance: Leading the Industry
Low False Positives: Essential for Effective EDR
Why MITRE ATT&CK Evaluation Matters
Qualys Endpoint Detection & Response: A Top Solution
More Than Detection: A Comprehensive Risk Management Approach
Advanced Ransomware Mitigation: Protecting Against Worst-Case Scenarios
Conclusion
## From Risk Leader to EDR Powerhouse: How Qualys Evolved
In today’s rapidly evolving threat landscape, ransomware continues to dominate as one of the most significant cybersecurity challenges. To help organizations evaluate their defenses against these sophisticated threats, the MITRE ATT&CK Evaluations provide a transparent, real-world assessment of security solutions.
The 2024 evalua
Bleepingcomputer
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
blogs_bleepingcomputer·2024-11-12·CVSS 10.0
[CRITICAL] FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## Sergiu Gatlan
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned .
"In 2023, the majority of the most frequently exploited vulnerabilities
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Ausnutzung von Schwachstellen
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized acc
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
# Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus
2024/02/27
Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software (CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized access an
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized access
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus 2024/02/27 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized access a
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits y vulnerabilidades
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized acces
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On 19 February 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorised access
Qualys
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
blogs_qualys·2023-12-19
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
## Table of Contents
2023 Statistics
2023 Vulnerability Threat Landscape
Top Vulnerability Types
Key Insights
Top MITRE ATT&CK Tactics & Techniques
Most Active Threats
Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
97 high-risk vulnerabilities, like
Qualys
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
blogs_qualys·2023-12-19
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
#### Table of Contents
- 2023 Statistics
- 2023 Vulnerability Threat Landscape
- Top Vulnerability Types
- Key Insights
- Top MITRE ATT&CK Tactics & Techniques
- Most Active Threats
- Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
- Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
- 97 high-risk vulnerab
Dfir Report
SQL Brute Force Leads to BlueSky Ransomware
blogs_dfir_report·2023-12-04
SQL Brute Force Leads to BlueSky Ransomware
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Qualys
Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
#### Table of Contents
- 7 Key Insights by the Qualys Threat Research Unit
- A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
- Optimizing Risk Management with Qualys VMDR TruRiskDashboard
- Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
- Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights
Qualys
Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
## Table of Contents
7 Key Insights by the Qualys Threat Research Unit
A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
Optimizing Risk Management with Qualys VMDR TruRiskDashboard
Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights by the
Securelist
IT threat evolution in Q2 2023. Non-mobile statistics
blogs_securelist·2023-08-30
IT threat evolution in Q2 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
MOVEit Transfer vulnerabilities exploited
Attacks on municipal organizations, educational and healthcare establishments
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT
Securelist
PC malware statistics, Q2 2022
blogs_securelist·2023-08-30
PC malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2023
- IT threat evolution in Q2 2023. Non-mobile statistics
- IT threat evolution in Q2 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2023:
- Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
- A total of 209,716,810 unique links were d
Fortinet
Ransomware Roundup - Cl0p | FortiGuard Labs
blogs_fortinet·2023-07-21·CVSS 9.8
[CRITICAL] Ransomware Roundup - Cl0p | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Ransomware Roundup - Cl0p
By Shunichi Imano and James Slaughter | July 21, 2023
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the Cl0p ransomware.
Affected platforms: Microsoft Windows, Linux
Impacted parties: Microsoft Windows, Linux Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files
Severity level: High
Recently, the Cl0p ransomware group received
Fortinet
Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs
blogs_fortinet·2023-07-10
Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Meet LockBit: The Most Prevalent Ransomware in 2022
By Shunichi Imano and James Slaughter | July 10, 2023
Affected platforms: Microsoft Windows, Linux, ESXi, MacOS
Impacted parties: Microsoft Windows, Linux, ESXi, and MacOS Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files
Severity level: High
On June 14th, 2023, the CISA, FBI, MS-ISAC, and multiple international cyber security organizations released a joint advisory for the LockBit ransomware. This ransomware group has been active since early 2020, targeting organizations across numerous industries, including energy and government sectors. According to the advisory, LockBit was the most active ransomware in 2022.
This blog provides
Talos
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
blogs_talos·2023-05-11
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
## Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
Welcome to this week’s edition of the Threat Source newsletter.
I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.
Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.
It seems like if you were to survey various cybersecurity researchers, thought leaders and policymakers, there is a mixed consensus on whether ransomware is still the biggest problem defenders still face today.
The White House and U.S. Department of Justice seem bullish on their efforts to shut down ransomw
Talos
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
blogs_talos·2023-05-11
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
Welcome to this week’s edition of the Threat Source newsletter.
I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.
Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.
It seems like if you were to survey various cybersecurity researchers, thought leaders and policymakers, there is a mixed consensus on whether ransomware is still the biggest problem defenders still face today.
The White House and U.S. Department of Justice seem bullish on their efforts to shut down ransomware gangs and dark web sites.
But recently, I’ve noticed that ransomware is still
Sentinelone
PaperCut Vulnerability: Unpatched Servers Exploited in the Wild
blogs_sentinelone·2023-05-04·CVSS 9.8
CVE-2023-27350 [CRITICAL] PaperCut Vulnerability: Unpatched Servers Exploited in the Wild
On March 8, 2023, PaperCut fixed two new vulnerabilities, CVE-2023-27350 and CVE-2023-27351. These problems could have allowed an attacker to take control of the PaperCut server from a remote location.
CVE-2023-27350 is a vulnerability that allows remote attackers to bypass authentication on affected installations of PaperCut NG version 8.0 or later on all OS platforms. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control.
This critical-rated vulnerability carries a severity score of 9.8 out of 10, indicating its high potential for damage if exploited.
Another vulnerability in PaperCut, CVE-2023-27351, could allow unauthorized attackers to access and extract sensitive user a
Sentinelone
PaperCut Vulnerability: Unpatched Servers Exploited in the Wild
blogs_sentinelone·2023-05-04·CVSS 9.8
CVE-2023-27350 [CRITICAL] PaperCut Vulnerability: Unpatched Servers Exploited in the Wild
On March 8, 2023, PaperCut fixed two new vulnerabilities, CVE-2023-27350 and CVE-2023-27351. These problems could have allowed an attacker to take control of the PaperCut server from a remote location.
CVE-2023-27350 is a vulnerability that allows remote attackers to bypass authentication on affected installations of PaperCut NG version 8.0 or later on all OS platforms. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control.
This critical-rated vulnerability carries a severity score of 9.8 out of 10, indicating its high potential for damage if exploited.
Another vulnerability in PaperCut, CVE-2023-27351, could allow unauthorized attackers to access and extract sensitive user a
Checkpoint
1st May – Threat Intelligence Report
blogs_checkpoint·2023-05-01·CVSS 9.8
CVE-2023-27350 [CRITICAL] 1st May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 1st May, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
A threat actor was able to generate some mail keys of American Telecom giant AT&T, and used it to take control of AT&T customers’ email addresses. Victims report that cryptocurrency accounts connected to their AT&T emails were drained, suggesting a financial motivation for the attackers.
Microsoft warns of a recent wave in exploitat
Talos
Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo
blogs_talos·2023-04-27
Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo
## Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo
Welcome to this week’s edition of the Threat Source newsletter.
I’m writing this earlier in the week as I get ready for some personal travel (everyone is lucky I passed on writing another Cybersecurity Mock Draft ), so apologies if I miss anything major that happens at RSA.
But Cisco beat everyone to the punch Monday morning anyway, making a slew of major announcements on RSA travel day. By the time you’re reading this, it’s still not too late to track down someone from our team if you want to learn more. (Read last week’s newsletter for more on that.)
Cisco Duo announced that all paid customers of its service can now use Trusted Endpoints to block access from unknown devices.
Duo is
Talos
Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo
blogs_talos·2023-04-27
Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo
Welcome to this week’s edition of the Threat Source newsletter.
I’m writing this earlier in the week as I get ready for some personal travel (everyone is lucky I passed on writing another Cybersecurity Mock Draft), so apologies if I miss anything major that happens at RSA.
But Cisco beat everyone to the punch Monday morning anyway, making a slew of major announcements on RSA travel day. By the time you’re reading this, it’s still not too late to track down someone from our team if you want to learn more. (Read last week’s newsletter for more on that.)
Cisco Duo announced that all paid customers of its service can now use Trusted Endpoints to block access from unknown devices.
Duo is also re-introducing three editions of the product: Duo Essentials, Duo Advantage and Duo Premier. Even w
Trendmicro
Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
blogs_trendmicro·2023-04-26·CVSS 9.8
CVE-2023-27350 [CRITICAL] Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Sfruttamento vulnerabilità
## Update Now: PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Two vulnerabilities in PaperCut have been found, and one of them is being actively exploited in the wild. This blog entry provides a summary of the vulnerabilities, and includes security guidance for IT and SOC professionals.
By: Trend Micro Apr 26, 2023 Read time: ( words)
Save to Folio
Updated on April 27, 2023 10:40 p.m. EDT: We updated the entry to include information on the discovery of LockBit as the malicious payload and add Trend Micro Cloud One™ solutions.
Updated on April 26, 2023, 4:12 a.m. EDT where we added details on an observed instance through Trend Micro Managed XDR where we believe the vulnerabilities detailed in this blog were abused by threat actors. We also a
Trendmicro
Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
blogs_trendmicro·2023-04-26·CVSS 9.8
CVE-2023-27350 [CRITICAL] Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Exploits y vulnerabilidades
## Update Now: PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Two vulnerabilities in PaperCut have been found, and one of them is being actively exploited in the wild. This blog entry provides a summary of the vulnerabilities, and includes security guidance for IT and SOC professionals.
By: Trend Micro Apr 26, 2023 Read time: ( words)
Save to Folio
Updated on April 27, 2023 10:40 p.m. EDT: We updated the entry to include information on the discovery of LockBit as the malicious payload and add Trend Micro Cloud One™ solutions.
Updated on April 26, 2023, 4:12 a.m. EDT where we added details on an observed instance through Trend Micro Managed XDR where we believe the vulnerabilities detailed in this blog were abused by threat actors. We also
Trendmicro
Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
blogs_trendmicro·2023-04-26·CVSS 9.8
CVE-2023-27350 [CRITICAL] Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Exploits & Vulnerabilities
## Update Now: PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Two vulnerabilities in PaperCut have been found, and one of them is being actively exploited in the wild. This blog entry provides a summary of the vulnerabilities, and includes security guidance for IT and SOC professionals.
By: Trend Micro Apr 26, 2023 Read time: ( words)
Save to Folio
Updated on April 27, 2023 10:40 p.m. EDT: We updated the entry to include information on the discovery of LockBit as the malicious payload and add Trend Micro Cloud One™ solutions.
Updated on April 26, 2023, 4:12 a.m. EDT where we added details on an observed instance through Trend Micro Managed XDR where we believe the vulnerabilities detailed in this blog were abused by threat actors. We also a
Trendmicro
Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
blogs_trendmicro·2023-04-26·CVSS 9.8
CVE-2023-27350 [CRITICAL] Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Exploits & Vulnerabilities
# Update Now: PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Two vulnerabilities in PaperCut have been found, and one of them is being actively exploited in the wild. This blog entry provides a summary of the vulnerabilities, and includes security guidance for IT and SOC professionals.
By: Trend Micro
2023/04/26
Read time: ( words)
Save to Folio
Updated on April 27, 2023 10:40 p.m. EDT: We updated the entry to include information on the discovery of LockBit as the malicious payload and add Trend Micro Cloud One™ solutions.
Updated on April 26, 2023, 4:12 a.m. EDT where we added details on an observed instance through Trend Micro Managed XDR where we believe the vulnerabilities detailed in this blog were abused by threat actors. We also add
Trendmicro
Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
blogs_trendmicro·2023-04-26·CVSS 9.8
CVE-2023-27350 [CRITICAL] Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Exploits & Vulnerabilities
## Update Now: PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Two vulnerabilities in PaperCut have been found, and one of them is being actively exploited in the wild. This blog entry provides a summary of the vulnerabilities, and includes security guidance for IT and SOC professionals.
By: Trend Micro 2023/04/26 Read time: ( words)
Save to Folio
Updated on April 27, 2023 10:40 p.m. EDT: We updated the entry to include information on the discovery of LockBit as the malicious payload and add Trend Micro Cloud One™ solutions.
Updated on April 26, 2023, 4:12 a.m. EDT where we added details on an observed instance through Trend Micro Managed XDR where we believe the vulnerabilities detailed in this blog were abused by threat actors. We also add
Trendmicro
Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
blogs_trendmicro·2023-04-26·CVSS 9.8
CVE-2023-27350 [CRITICAL] Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Ausnutzung von Schwachstellen
## Update Now: PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation
Two vulnerabilities in PaperCut have been found, and one of them is being actively exploited in the wild. This blog entry provides a summary of the vulnerabilities, and includes security guidance for IT and SOC professionals.
By: Trend Micro Apr 26, 2023 Read time: ( words)
Save to Folio
Updated on April 27, 2023 10:40 p.m. EDT: We updated the entry to include information on the discovery of LockBit as the malicious payload and add Trend Micro Cloud One™ solutions.
Updated on April 26, 2023, 4:12 a.m. EDT where we added details on an observed instance through Trend Micro Managed XDR where we believe the vulnerabilities detailed in this blog were abused by threat actors. We als
Huntress
Critical Vulnerabilities in PaperCut Print Management Software | Huntress
blogs_huntress·2023-04-21·CVSS 9.8
[CRITICAL] Critical Vulnerabilities in PaperCut Print Management Software | Huntress
Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
UPDATE #1 - 4/25/23 @ 11am ET : Added information about additional exploitation seen against Papercut MF/NG Server where a crypto-miner was deployed.
Huntress has observed post-exploitation activities within our partner environments following the exploitation of recent PaperCut MF/NG vulnerabilities. On April 19th, PaperCut reported active in the wild exploitation against vulnerable versions 8.0 and above, and prior to 20.1.7 , 21.2.11 , or 22.0.9 .
These threats have been tagged by the Zero Day Initiative as ZDI-CAN-19226 ( CVE-2023-27351 ) and ZDI-CAN-18987 ( CVE-2023-27350 ).
In our protected environme
Greynoiseio
New Vulnerability: PaperCut MF/NG
blogs_greynoiseio·CVSS 9.8
[CRITICAL] New Vulnerability: PaperCut MF/NG
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Decoding Mass Exploitation in 2023: A GreyNoise Perspective| GreyNoise Blog
blogs_greynoiseio
Decoding Mass Exploitation in 2023: A GreyNoise Perspective| GreyNoise Blog
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Round Up: Product Updates
blogs_greynoiseio
GreyNoise Round Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Huntress
Critical Vulnerabilities in PaperCut Print Management Software | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] Critical Vulnerabilities in PaperCut Print Management Software | Huntress
Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
UPDATE #1 - 4/25/23 @ 11am ET: Added information about additional exploitation seen against Papercut MF/NG Server where a crypto-miner was deployed.
Huntress has observed post-exploitation activities within our partner environments following the exploitation of recent PaperCut MF/NG vulnerabilities. On April 19th, PaperCut reported active in the wild exploitation against vulnerable versions 8.0 and above, and prior to 20.1.7, 21.2.11, or 22.0.9.
These threats have been tagged by the Zero Day Initiative as ZDI-CAN-19226 (CVE-2023-27351) and ZDI-CAN-18987 (CVE-2023-27350).
In our protected environments, we
Greynoiseio
The Third Day Of Tagsmas (2023): Papercut MF/NG Authentication Bypass (CVE-2023-27350)
blogs_greynoiseio·CVSS 9.8
[CRITICAL] The Third Day Of Tagsmas (2023): Papercut MF/NG Authentication Bypass (CVE-2023-27350)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/171982/PaperCut-MF-NG-Authentication-Bypass-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/172022/PaperCut-NG-MG-22.0.4-Authentication-Bypass.htmlhttp://packetstormsecurity.com/files/172512/PaperCut-NG-MG-22.0.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/172780/PaperCut-PaperCutNG-Authentication-Bypass.htmlhttps://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/https://www.papercut.com/kb/Main/PO-1216-and-PO-1219https://www.zerodayinitiative.com/advisories/ZDI-23-233/http://packetstormsecurity.com/files/171982/PaperCut-MF-NG-Authentication-Bypass-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/172022/PaperCut-NG-MG-22.0.4-Authentication-Bypass.htmlhttp://packetstormsecurity.com/files/172512/PaperCut-NG-MG-22.0.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/172780/PaperCut-PaperCutNG-Authentication-Bypass.htmlhttps://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/https://www.papercut.com/kb/Main/PO-1216-and-PO-1219https://www.zerodayinitiative.com/advisories/ZDI-23-233/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27350
2023-04-20
Published
2023-04-21
Added to CISA KEV
Exploited in the wild