CVE-2023-39143
published 2023-08-04CVE-2023-39143: PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.70%
99.5th percentile
PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| papercut | papercut_mf | < 22.1.3 | 22.1.3 |
| papercut | papercut_ng | < 22.1.3 | 22.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
path/custom-report-example/
bytes
2e 2e 5c
bytes
2e 2e 5c 2e 2e 5c 2e 2e 5c
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PaperCut NG/MF Possible Directory Traversal/File Upload Exploit Attempt (CVE-2023-39143)"; flow:established,to_server; http.uri.raw; content:"/custom-report-example/"; fast_pattern; startswith; content:"|2e 2e 5c|"; distance:0; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/; reference:cve,2023-39143; classtype:attempted-admin; sid:2047631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2023_08_11, cve CVE_2023_39143, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2024_10_01, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PaperCut NG/MF Directory Traversal/File Upload Vulnerability Check (CVE-2023-39143)"; flow:established,to_server; http.uri.raw; content:"/custom-report-example/"; startswith; content:"|2e 2e 5c 2e 2e 5c 2e 2e 5c|deployment|5c|sharp|5c|icons|5c|home|2d|app|2e|png"; fast_pattern; distance:0; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/; reference:cve,2023-39143; classtype:attempted-admin; sid:2047632; rev:3;)
yara
id: CVE-2023-39143
info:
name: PaperCut < 22.1.3 - Path Traversal
author: pdteam
severity: critical
http:
- method: GET
path:
- "{{BaseURL}}/custom-report-example/..\\..\\..\\deployment\\sharp\\icons\\home-app.png"
matchers:
- type: dsl
dsl:
- content_length == 1655
- status_code == 200
- contains(to_lower(content_type), "image/png")
- contains(hex_encode(body), "89504e470d0a1a0a")
condition: and- →Exploit requests use backslash-encoded path traversal sequences (..\) within the /custom-report-example/ URI path to escape the web root; monitor HTTP URI raw content for this pattern.
- →Vulnerability check/PoC probe specifically requests the path /custom-report-example/..\..\..\deployment\sharp\icons\home-app.png and expects a 1655-byte PNG response (HTTP 200); alert on this exact URI pattern.
- →Shodan/FOFA fingerprinting queries for PaperCut servers use HTML content matching 'content="PaperCut"' or 'papercut' in the body; use these to identify exposed attack surface.
- →RCE is only achievable when external device integration is enabled; prioritize detection/response for PaperCut servers with 'Enable external hardware integration' turned on. ↗
- →Exploitation is unauthenticated; no session or credential artifacts will precede the traversal request in logs — look purely for the malformed URI pattern in web server access logs. ↗
- ·The path traversal technique uses Windows-style backslash separators (\); the vulnerability and the Snort/Nuclei signatures are Windows-specific and do not apply to Linux/macOS PaperCut deployments. ↗
- ·The official patch (version 22.1.3) is only available for PaperCut version 22 and onwards; older major versions remain permanently unpatched and require network-level mitigations. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mm5w-gqw5-m4qx: PaperCut NG and PaperCut MF before 22
ghsa_unreviewed·2023-08-04
CVE-2023-39143 [CRITICAL] CWE-22 GHSA-mm5w-gqw5-m4qx: PaperCut NG and PaperCut MF before 22
PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.
VulnCheck
PaperCut papercut_mf Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 9.8
CVE-2023-39143 [CRITICAL] PaperCut papercut_mf Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
PaperCut papercut_mf Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).
Affected: PaperCut papercut_mf
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2023-39143&date=2025-10-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2023-39143&date=2025-10-18; https://api.vulncheck.com/v3/index/vulncheck-canaries?c
Suricata
ET WEB_SPECIFIC_APPS PaperCut NG/MF Possible Directory Traversal/File Upload Exploit Attempt (CVE-2023-39143)
suricata·2023-08-11·CVSS 9.8
CVE-2023-39143 [CRITICAL] ET WEB_SPECIFIC_APPS PaperCut NG/MF Possible Directory Traversal/File Upload Exploit Attempt (CVE-2023-39143)
ET WEB_SPECIFIC_APPS PaperCut NG/MF Possible Directory Traversal/File Upload Exploit Attempt (CVE-2023-39143)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PaperCut NG/MF Possible Directory Traversal/File Upload Exploit Attempt (CVE-2023-39143)"; flow:established,to_server; http.uri.raw; content:"/custom-report-example/"; fast_pattern; startswith; content:"|2e 2e 5c|"; distance:0; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/; reference:cve,2023-39143; classtype:attempted-admin; sid:2047631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2023_08_11, cve CVE_2023_39143, deployment Perimeter, deployment Internal, deploy
Suricata
ET WEB_SPECIFIC_APPS PaperCut NG/MF Directory Traversal/File Upload Vulnerability Check (CVE-2023-39143)
suricata·2023-08-11·CVSS 9.8
CVE-2023-39143 [CRITICAL] ET WEB_SPECIFIC_APPS PaperCut NG/MF Directory Traversal/File Upload Vulnerability Check (CVE-2023-39143)
ET WEB_SPECIFIC_APPS PaperCut NG/MF Directory Traversal/File Upload Vulnerability Check (CVE-2023-39143)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PaperCut NG/MF Directory Traversal/File Upload Vulnerability Check (CVE-2023-39143)"; flow:established,to_server; http.uri.raw; content:"/custom-report-example/"; startswith; content:"|2e 2e 5c 2e 2e 5c 2e 2e 5c|deployment|5c|sharp|5c|icons|5c|home|2d|app|2e|png"; fast_pattern; distance:0; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/; reference:cve,2023-39143; classtype:attempted-admin; sid:2047632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2023_08_11, cve CVE_202
Nuclei
PaperCut < 22.1.3 - Path Traversal
nuclei·CVSS 9.8
CVE-2023-39143 [CRITICAL] PaperCut < 22.1.3 - Path Traversal
PaperCut < 22.1.3 - Path Traversal
PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.
Template:
id: CVE-2023-39143
info:
name: PaperCut < 22.1.3 - Path Traversal
author: pdteam
severity: critical
description: PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.
impact: |
An attacker can exploit this vulnerability to access sensitive files, potentially leading to unauthorized disclosure of information or remote code execution.
remediation: |
Upgrade PaperCut to version 22.1.3 or later to mitigate the vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-39143
- https://www.horizon3.ai/cve-2
Checkpoint
7th August – Threat Intelligence Report
blogs_checkpoint·2023-08-07
CVE-2023-4050 7th August – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 7th August – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 7th August, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Prospect Medical Holdings, a major healthcare services provider that operates 16 hospitals and 166 outpatient clinics and centers in the US, suffered a significant ransomware attack. The attack has disrupted the company’s operations in at least three states, and forced hospitals to divert patients to other facilities. No ransom
Huntress
Another PaperCut: CVE-2023-39143 Remote Code Execution | Huntress
blogs_huntress·2023-08-05·CVSS 9.8
CVE-2023-39143 [CRITICAL] Another PaperCut: CVE-2023-39143 Remote Code Execution | Huntress
On August 5, Huntress was made aware of the recently uncovered vulnerability tracked as CVE-2023-39143 . For overall statistics, in our partner base we have over 1,000 vulnerable servers across 812 different companies. We have begun outreach efforts to all of our partners.
Our researchers are currently looking into the vulnerability so we can provide a deeper technical analysis and ideas for potential detection of exploits against the vulnerable versions. We will provide further updates to this blog and our Reddit post as we gather more information. In the meantime, here are some details to hopefully help you get started with patching and mitigation.
## Vulnerable Versions
As of now, any Windows Papercut MF or NG server below version 22.1.3 is affected. Please follow the patch guidance
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Huntress
Another PaperCut: CVE-2023-39143 Remote Code Execution | Huntress
blogs_huntress·CVSS 9.8
CVE-2023-39143 [CRITICAL] Another PaperCut: CVE-2023-39143 Remote Code Execution | Huntress
On August 5, Huntress was made aware of the recently uncovered vulnerability tracked as CVE-2023-39143. For overall statistics, in our partner base we have over 1,000 vulnerable servers across 812 different companies. We have begun outreach efforts to all of our partners.
Our researchers are currently looking into the vulnerability so we can provide a deeper technical analysis and ideas for potential detection of exploits against the vulnerable versions. We will provide further updates to this blog and our Reddit post as we gather more information. In the meantime, here are some details to hopefully help you get started with patching and mitigation.
## Vulnerable Versions
As of now, any Windows Papercut MF or NG server below version 22.1.3 is affected. Please follow the patch guidance f
arXiv
Investigating the Temporal Dynamics of Cyber Threat Intelligence
arxiv_fulltext·2024-12-26
Investigating the Temporal Dynamics of Cyber Threat Intelligence
Investigating the Temporal Dynamics of Cyber Threat Intelligence
Angel Kodituwakku, Clark Xu,
Daniel Rogers, and David K. Ahn
Centripetal Networks
Reston, VA, USA
[email protected]
Errin W. Fulp
Department of Computer Science
Wake Forest University
Winston-Salem, NC, USA
[email protected]
## Abstract
Indicators of Compromise (IoCs) play a crucial role in the rapid detection and mitigation of cyber threats. However, the existing body of literature lacks in-depth analytical studies on the temporal aspects of IoC publication, especially when considering up-to-date datasets related to Common Vulnerabilities and Exposures (CVEs). This paper addresses this gap by conducting an analysis of the timeliness and comprehensiveness of Cyber Threat Intelligence (CTI) pertaining to several
https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/https://www.papercut.com/kb/Main/securitybulletinjuly2023/https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/https://www.papercut.com/kb/Main/securitybulletinjuly2023/
2023-08-04
Published
Exploited in the wild