Skip to main content

PaperCut Print Deploy CVE-2026-6645

| EUVDEUVD-2026-38209 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-22 eb41dac7-0af8-4f84-9f6d-0272772514f4 GHSA-7rjc-r662-4qm8
7.3
CVSS 4.0 · Vendor: eb41dac7-0af8-4f84-9f6d-0272772514f4
Share

Severity by source

Vendor (eb41dac7-0af8-4f84-9f6d-0272772514f4) PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.7 MEDIUM

Local low-priv attacker (AV:L/PR:L); AC:H because a writable search-path directory must already exist; UI:R for the updater invocation; full CIA impact as SYSTEM.

3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (eb41dac7-0af8-4f84-9f6d-0272772514f4).

CVSS VectorVendor: eb41dac7-0af8-4f84-9f6d-0272772514f4

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 22, 2026 - 06:16 EUVD
Analysis Generated
Jun 22, 2026 - 06:12 vuln.today
CVE Published
Jun 22, 2026 - 04:17 cve.org
HIGH 7.3

DescriptionCVE.org

An insecure process execution vulnerability exists in the pc-printer-updater.exe component of the PaperCut Print Deploy Client for Windows. The application, which typically operates with high-level system privileges, attempts to perform an internal validation check by invoking a secondary system utility using an unqualified file reference.

Because the application does not specify an absolute path to this utility, it relies on the operating system's default search order to locate the executable. Under specific conditions, a local attacker with the ability to modify directories within the system's search path could plant a malicious binary that mimics the expected utility. This could result in the malicious code being executed with SYSTEM privileges, leading to a full compromise of the affected host.

AnalysisAI

Local privilege escalation to SYSTEM in the PaperCut Print Deploy Client for Windows allows a low-privileged user to hijack execution flow of pc-printer-updater.exe by planting a malicious binary in a directory on the Windows search path. The flaw is a classic uncontrolled search path element (CWE-427) in a SYSTEM-level helper, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv local shell
Delivery
Identify writable search-path directory
Exploit
Plant malicious binary matching utility name
Execution
Trigger pc-printer-updater.exe validation
Persist
Malicious binary loaded as SYSTEM
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation Attacker must (1) already have local interactive or code-execution access on a Windows endpoint with PaperCut Print Deploy Client installed (PR:L), (2) possess write permission to at least one directory that Windows resolves before the legitimate utility's true location in the search order - typical candidates are misconfigured application install folders, custom PATH entries, or the current working directory of the updater process, and (3) cause or wait for pc-printer-updater.exe to perform its internal validation invocation, which corresponds to the CVSS UI:P (user interaction) and AT:P (attack requirements) metrics. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-high on hosts where PaperCut Print Deploy Client is deployed, but limited by clear preconditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard domain user on a workstation where PaperCut Print Deploy Client is installed identifies a directory on the Windows search path that grants them write access (for example a misconfigured application directory or a writable entry in the system PATH). They drop a malicious executable named identically to the utility that pc-printer-updater.exe invokes, then either wait for or induce a printer deployment refresh; when the updater fires its validation step the planted binary is launched under the SYSTEM account, giving the attacker full control of the host. …
Remediation Patch available per vendor advisory - upgrade the PaperCut Print Deploy Client to the fixed build listed in the PaperCut NG/MF June 2026 security bulletin (https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-june-2026/); the exact fix version is not reproduced in the NVD record and should be taken from that bulletin. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit systems running PaperCut Print Deploy Client for Windows and identify scope of affected endpoints; document current PaperCut version deployed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6645 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy