Skip to main content

PaperCut NG/MF CVE-2023-27351

HIGH
Improper Authentication (CWE-287)
2023-04-20 zdi-disclosures@trendmicro.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Added to CISA KEV
Apr 20, 2026 - 20:46 CISA

DescriptionCVE.org

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.

AnalysisAI

Authentication bypass in PaperCut NG and PaperCut MF print management software allows unauthenticated remote attackers to access protected functionality by exploiting flawed logic in the SecurityRequestFilter class. The flaw is confirmed actively exploited (CISA KEV) and has publicly available exploit code, with an EPSS score of 44.63% (98th percentile) indicating very high exploitation likelihood. It is commonly chained with administrative scripting features to achieve remote code execution on exposed PaperCut servers.

Technical ContextAI

PaperCut NG and PaperCut MF are widely deployed print management server applications used by enterprises, universities, and government agencies to track and control printing. The vulnerability falls under CWE-287 (Improper Authentication) and resides specifically in the SecurityRequestFilter Java class, which is responsible for validating session state on incoming HTTP requests to the PaperCut administrative web interface. Due to an improper implementation of the authentication algorithm, the filter can be tricked into treating a request as already authenticated, granting access to administrator-only functionality without valid credentials. The affected CPEs cover multiple version ranges of both papercut_ng and papercut_mf product lines, with PaperCut NG 22.0.5 (Build 63914) explicitly named in the original disclosure (ZDI-CAN-19226).

RemediationAI

Vendor-released patch: upgrade PaperCut MF/NG to version 20.1.7, 21.2.11, 22.0.9, or later according to your installed major release branch, per the PaperCut security bulletin. If immediate patching is not possible, restrict network access to the PaperCut server administrative interface (default TCP port 9191/HTTPS 9192) to a trusted management subnet via firewall or reverse proxy ACL - this blocks the bypass at the network layer but breaks remote administration. Additionally, enable 'Allow list of IP addresses' under Options > Advanced > Security to limit administrator UI access to known management hosts, which has minimal user-facing impact but does not protect against attackers on those same subnets. Monitor for indicators of compromise published in the PaperCut advisory and CISA alerts, including unexpected use of the Scripting interface or new admin-created users.

Share

CVE-2023-27351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy