PaperCut NG authentication bypass exploited in the wild (CVE-2023-27351)

Actively exploited in the wild - CVE-2023-27351 is a high-severity authentication bypass in PaperCut NG before 22.0.9 and MF before 22.0.8 that grants remote attackers administrative access without credentials. Update immediately to block active exploitation.

Overview

CVE-2023-27351 is a critical authentication bypass vulnerability in PaperCut NG and MF. The flaw resides in the SecurityRequestFilter class, where an improper implementation of the authentication algorithm allows a remote attacker to gain access to the system without providing any valid credentials. This vulnerability is confirmed to be actively exploited by threat actors.

Affected Products and Impact

The vulnerability affects PaperCut NG and PaperCut MF versions. Specifically, the initial advisory highlighted PaperCut NG version 22.0.5 (Build 63914), but multiple versions before 22.0.9 (for NG) and 22.0.8 (for MF) are vulnerable.

An attacker exploiting this vulnerability can bypass the login screen entirely, gaining unauthorized access to the PaperCut application server with administrative privileges. Once inside, an attacker can perform any administrative action, which may include accessing and exfiltrating sensitive user data, changing system configurations, deploying malicious software, and using the server as a foothold for further attacks within the network. The attack requires no user interaction and can be performed over the network.

Remediation and Mitigation

The primary and most urgent action is to apply the vendor-provided patch.

1. Update Immediately: Upgrade PaperCut NG to version 22.0.9 or later, and PaperCut MF to version 22.0.8 or later. These versions contain the necessary fix. Consult the official PaperCut security advisory for detailed version information and download links.
2. Network Segmentation: If immediate patching is not possible, ensure the PaperCut application server is not directly exposed to the internet. Restrict network access to the server’s web ports (typically 9191 and 9192) using firewalls, allowing connections only from trusted internal networks.
3. Monitor for Compromise: Given the active exploitation, organizations running affected versions should review server logs for suspicious activity, such as unexpected administrative logins or configuration changes. Monitor for related threat intelligence and indicators of compromise (IOCs).

For more on how such vulnerabilities lead to incidents, see our breach reports.

Security Insight

This vulnerability underscores the persistent criticality of seemingly “simple” logic flaws in authentication frameworks. Unlike complex memory corruption bugs, this bypass stems from a flawed algorithm implementation, making it highly reliable for attackers to weaponize. Its inclusion on CISA’s Known Exploited Vulnerabilities catalog, alongside its high EPSS score, reflects its low barrier to exploitation and high utility in ransomware and data theft campaigns, mirroring the exploitation pattern of similar authentication bypasses in other network appliances.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs