Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files.
An attacker with administrative access to the PaperCut Hive management portal could remotely enable deep logging and subsequently retrieve sensitive device passwords from the logs after an authorized user authenticates at the device. This exposure allows for the lateral movement or unauthorized configuration of the physical print hardware.
AnalysisAI
PaperCut Hive Ricoh embedded application logs administrative credentials in plain text when Deep Logging diagnostic mode is enabled, allowing authenticated administrators to remotely activate logging and extract device passwords after user authentication. This credential exposure enables lateral movement within the print infrastructure and unauthorized device reconfiguration, affecting organizations that depend on Hive for centralized print management.
Technical ContextAI
PaperCut Hive is a print management platform that integrates with Ricoh multifunction devices to provide centralized control and monitoring. The vulnerability stems from inadequate credential handling in the application's diagnostic logging subsystem (CWE-532: Insertion of Sensitive Information into Log File). When Deep Logging is enabled, the application captures administrative credentials-including device passwords used for authentication-in plaintext within accessible log files. This logging occurs at the Ricoh embedded application layer, which runs on the device itself and is accessible through the PaperCut Hive management portal. The vulnerability is specific to the Hive platform's integration with Ricoh hardware and affects the diagnostic infrastructure rather than core authentication mechanisms.
RemediationAI
Primary remediation is to apply the vendor-released security patch from PaperCut (exact patched version number not independently confirmed from available data; consult https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ for release details). Until patching is possible, disable Deep Logging diagnostic mode across all Hive deployments unless actively troubleshooting - this eliminates the logging vector that captures credentials. Restrict administrative access to the PaperCut Hive management portal using role-based access control (RBAC), limiting portal administrators to personnel with demonstrated need; this reduces the pool of users capable of enabling Deep Logging. Implement audit logging and alerting on Deep Logging activation events to detect unauthorized diagnostic mode enablement. Establish a credential rotation schedule for Ricoh device administrative accounts, reducing the window during which compromised passwords are valid. If logs are already retained with plaintext credentials, immediately search for and securely delete or redact log files containing sensitive information, then rotate all device admin passwords. Network-segment the Hive management portal from direct internet exposure and restrict access via VPN or zero-trust access controls, reducing the risk that external attackers with compromised admin credentials can reach the portal.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27235
GHSA-p529-vrpr-9p36