PaperCut NG/MF CVE-2023-27351
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
AnalysisAI
Authentication bypass in PaperCut NG and PaperCut MF print management software allows unauthenticated remote attackers to access protected functionality by exploiting flawed logic in the SecurityRequestFilter class. The flaw is confirmed actively exploited (CISA KEV) and has publicly available exploit code, with an EPSS score of 44.63% (98th percentile) indicating very high exploitation likelihood. It is commonly chained with administrative scripting features to achieve remote code execution on exposed PaperCut servers.
Technical ContextAI
PaperCut NG and PaperCut MF are widely deployed print management server applications used by enterprises, universities, and government agencies to track and control printing. The vulnerability falls under CWE-287 (Improper Authentication) and resides specifically in the SecurityRequestFilter Java class, which is responsible for validating session state on incoming HTTP requests to the PaperCut administrative web interface. Due to an improper implementation of the authentication algorithm, the filter can be tricked into treating a request as already authenticated, granting access to administrator-only functionality without valid credentials. The affected CPEs cover multiple version ranges of both papercut_ng and papercut_mf product lines, with PaperCut NG 22.0.5 (Build 63914) explicitly named in the original disclosure (ZDI-CAN-19226).
RemediationAI
Vendor-released patch: upgrade PaperCut MF/NG to version 20.1.7, 21.2.11, 22.0.9, or later according to your installed major release branch, per the PaperCut security bulletin. If immediate patching is not possible, restrict network access to the PaperCut server administrative interface (default TCP port 9191/HTTPS 9192) to a trusted management subnet via firewall or reverse proxy ACL - this blocks the bypass at the network layer but breaks remote administration. Additionally, enable 'Allow list of IP addresses' under Options > Advanced > Security to limit administrator UI access to known management hosts, which has minimal user-facing impact but does not protect against attackers on those same subnets. Monitor for indicators of compromise published in the PaperCut advisory and CISA alerts, including unexpected use of the Scripting interface or new admin-created users.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today