cbcvebase.
CVE-2023-39143
published 2023-08-04

CVE-2023-39143: PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.70%
99.5th percentile
PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).

Affected

2 ranges
VendorProductVersion rangeFixed in
papercutpapercut_mf< 22.1.322.1.3
papercutpapercut_ng< 22.1.322.1.3

Detection & IOCsextracted from sources · hover to see the quote

url/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png
path/custom-report-example/
bytes
2e 2e 5c
bytes
2e 2e 5c 2e 2e 5c 2e 2e 5c
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PaperCut NG/MF Possible Directory Traversal/File Upload Exploit Attempt (CVE-2023-39143)"; flow:established,to_server; http.uri.raw; content:"/custom-report-example/"; fast_pattern; startswith; content:"|2e 2e 5c|"; distance:0; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/; reference:cve,2023-39143; classtype:attempted-admin; sid:2047631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2023_08_11, cve CVE_2023_39143, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2024_10_01, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PaperCut NG/MF Directory Traversal/File Upload Vulnerability Check (CVE-2023-39143)"; flow:established,to_server; http.uri.raw; content:"/custom-report-example/"; startswith; content:"|2e 2e 5c 2e 2e 5c 2e 2e 5c|deployment|5c|sharp|5c|icons|5c|home|2d|app|2e|png"; fast_pattern; distance:0; threshold:type limit, count 1, seconds 300, track by_src; reference:url,www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/; reference:cve,2023-39143; classtype:attempted-admin; sid:2047632; rev:3;)
yara
id: CVE-2023-39143
info:
  name: PaperCut < 22.1.3 - Path Traversal
  author: pdteam
  severity: critical
http:
- method: GET
  path:
  - "{{BaseURL}}/custom-report-example/..\\..\\..\\deployment\\sharp\\icons\\home-app.png"
  matchers:
  - type: dsl
    dsl:
    - content_length == 1655
    - status_code == 200
    - contains(to_lower(content_type), "image/png")
    - contains(hex_encode(body), "89504e470d0a1a0a")
    condition: and
  • Exploit requests use backslash-encoded path traversal sequences (..\) within the /custom-report-example/ URI path to escape the web root; monitor HTTP URI raw content for this pattern.
  • Vulnerability check/PoC probe specifically requests the path /custom-report-example/..\..\..\deployment\sharp\icons\home-app.png and expects a 1655-byte PNG response (HTTP 200); alert on this exact URI pattern.
  • Shodan/FOFA fingerprinting queries for PaperCut servers use HTML content matching 'content="PaperCut"' or 'papercut' in the body; use these to identify exposed attack surface.
  • RCE is only achievable when external device integration is enabled; prioritize detection/response for PaperCut servers with 'Enable external hardware integration' turned on.
  • Exploitation is unauthenticated; no session or credential artifacts will precede the traversal request in logs — look purely for the malformed URI pattern in web server access logs.
  • ·The path traversal technique uses Windows-style backslash separators (\); the vulnerability and the Snort/Nuclei signatures are Windows-specific and do not apply to Linux/macOS PaperCut deployments.
  • ·The official patch (version 22.1.3) is only available for PaperCut version 22 and onwards; older major versions remain permanently unpatched and require network-level mitigations.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.