cbcvebase.
CVE-2023-27350
published 2023-04-20

CVE-2023-27350: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-05-12
Exploited in the wild
EPSS
100.00%
100.0th percentile
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

Affected

7 ranges
VendorProductVersion rangeFixed in
papercutng
papercutpapercut_mf>= 21.0.0 < 21.2.1121.2.11
papercutpapercut_mf>= 22.0.0 < 22.0.922.0.9
papercutpapercut_mf>= 8.0 < 20.1.720.1.7
papercutpapercut_ng>= 21.0.0 < 21.2.1121.2.11
papercutpapercut_ng>= 22.0.0 < 22.0.922.0.9
papercutpapercut_ng>= 8.0 < 20.1.720.1.7

Detection & IOCsextracted from sources · hover to see the quote

filenamepc-app.exe
filenameenc.exe
port9191
processnetsh.exe
  • GreyNoise tag 'PaperCut RCE Attempt' identifies IPs actively attempting to exploit CVE-2023-27350; tag 'PaperCut Authentication Bypass Check' identifies IPs scanning for the vulnerability.
  • The earliest confirmed exploitation activity in the wild dates to April 13–14, 2023; use this as a baseline for log review scope when investigating potential compromises.
  • ·The malicious payload was hosted on a temporary file-sharing site that auto-deletes uploads after 60 minutes, making payload retrieval and hash verification time-sensitive during incident response.
  • ·The YARA/process-creation rule for pc-app.exe spawning cmd.exe or powershell.exe may produce false positives due to legitimate administrator activity; tune accordingly.
  • ·CVE-2023-27350 affects PaperCut MF/NG version 8.0 or later on all OS platforms; both Application Servers and Site Servers are in scope.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.