Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local low-priv attacker (AV:L/PR:L); AC:H because a writable search-path directory must already exist; UI:R for the updater invocation; full CIA impact as SYSTEM.
Primary rating from Vendor (eb41dac7-0af8-4f84-9f6d-0272772514f4).
CVSS VectorVendor: eb41dac7-0af8-4f84-9f6d-0272772514f4
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An insecure process execution vulnerability exists in the pc-printer-updater.exe component of the PaperCut Print Deploy Client for Windows. The application, which typically operates with high-level system privileges, attempts to perform an internal validation check by invoking a secondary system utility using an unqualified file reference.
Because the application does not specify an absolute path to this utility, it relies on the operating system's default search order to locate the executable. Under specific conditions, a local attacker with the ability to modify directories within the system's search path could plant a malicious binary that mimics the expected utility. This could result in the malicious code being executed with SYSTEM privileges, leading to a full compromise of the affected host.
AnalysisAI
Local privilege escalation to SYSTEM in the PaperCut Print Deploy Client for Windows allows a low-privileged user to hijack execution flow of pc-printer-updater.exe by planting a malicious binary in a directory on the Windows search path. The flaw is a classic uncontrolled search path element (CWE-427) in a SYSTEM-level helper, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must (1) already have local interactive or code-execution access on a Windows endpoint with PaperCut Print Deploy Client installed (PR:L), (2) possess write permission to at least one directory that Windows resolves before the legitimate utility's true location in the search order - typical candidates are misconfigured application install folders, custom PATH entries, or the current working directory of the updater process, and (3) cause or wait for pc-printer-updater.exe to perform its internal validation invocation, which corresponds to the CVSS UI:P (user interaction) and AT:P (attack requirements) metrics. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-high on hosts where PaperCut Print Deploy Client is deployed, but limited by clear preconditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard domain user on a workstation where PaperCut Print Deploy Client is installed identifies a directory on the Windows search path that grants them write access (for example a misconfigured application directory or a writable entry in the system PATH). They drop a malicious executable named identically to the utility that pc-printer-updater.exe invokes, then either wait for or induce a printer deployment refresh; when the updater fires its validation step the planted binary is launched under the SYSTEM account, giving the attacker full control of the host. … |
| Remediation | Patch available per vendor advisory - upgrade the PaperCut Print Deploy Client to the fixed build listed in the PaperCut NG/MF June 2026 security bulletin (https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-june-2026/); the exact fix version is not reproduced in the NVD record and should be taken from that bulletin. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit systems running PaperCut Print Deploy Client for Windows and identify scope of affected endpoints; document current PaperCut version deployed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38209
GHSA-7rjc-r662-4qm8