cbcvebase.
CVE-2023-27351
published 2023-04-20

CVE-2023-27351: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not…

PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2026-05-04
Exploited in the wild
EPSS
78.42%
99.5th percentile
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.

Affected

10 ranges
VendorProductVersion rangeFixed in
djangoprojectdjango>= 3.2 < 3.2.253.2.25
djangoprojectdjango>= 4.2 < 4.2.114.2.11
djangoprojectdjango>= 5.0 < 5.0.35.0.3
papercutng
papercutpapercut_mf>= 15.0 < 20.1.720.1.7
papercutpapercut_mf>= 21.0.0 < 21.2.1121.2.11
papercutpapercut_mf>= 22.0.0 < 22.0.922.0.9
papercutpapercut_ng>= 15.0 < 20.1.720.1.7
papercutpapercut_ng>= 21.0.0 < 21.2.1121.2.11
papercutpapercut_ng>= 22.0.0 < 22.0.922.0.9

Detection & IOCsextracted from sources · hover to see the quote

port9191
processpc-app.exe
filenameenc.exe
otherRansom.Win32.LOCKBIT.SMYXCJN
snort
Rule 4836: CVE-2023-27351 - PaperCut MF/NG Authentication Bypass Exploit - HTTP (REQUEST)
  • The flaw exists within the SecurityRequestFilter class — monitor HTTP requests targeting PaperCut's authentication filter path for unauthenticated access attempts.
  • CVE-2023-27351 exploitation can result in exfiltration of usernames, full names, email addresses, office/department info, payment card numbers, and hashed passwords from internal PaperCut accounts — monitor for bulk user data access.
  • Apply Trend Micro Deep Security/Workload Security IPS Rule 1011732 to detect CVE-2023-27351 exploitation attempts.
  • Apply Trend Micro TippingPoint/Cloud One Network Security filter 42258 to detect CVE-2023-27351 (ZDI-23-232) exploitation over HTTP.
  • ·CVE-2023-27351 only affects PaperCut MF or PaperCut NG version 15.0 or later; versions below 15.0 are not affected by this specific vulnerability.
  • ·As of the Trend Micro report date, there was no evidence of CVE-2023-27351 being exploited in the wild — active exploitation was only confirmed for CVE-2023-27350.
  • ·Process-spawn detection (pc-app.exe spawning cmd.exe/powershell.exe) may produce false positives due to expected legitimate admin activity; unusual patterns or frequencies should prompt further investigation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
ghsa7.5HIGH
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.