An unauthenticated authentication bypass in PaperCut NG/MF print management software has been added to CISA's Known Exploited Vulnerabilities catalog with confirmed ransomware campaign use.
What Is It
CVE-2023-27351 is an improper authentication vulnerability (CWE-287) in PaperCut NG and PaperCut MF. The flaw lives in the SecurityRequestFilter class, where the authentication algorithm is implemented incorrectly. A remote attacker can reach the affected installation over the network and bypass authentication entirely; no credentials, no user interaction required.
NVD rates the issue HIGH at CVSS 7.5 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), with the primary impact being a full loss of confidentiality. The secondary CVSS 3.0 score from ZDI is 8.2, factoring in a low integrity impact. The bug was originally tracked as ZDI-CAN-19226.
Why It Matters
CISA added CVE-2023-27351 to the KEV catalog on 2023-04-20 and explicitly flags it as having known ransomware campaign use. Exploitation requires no authentication and no user interaction, and PaperCut servers are commonly internet-exposed for print job submission, making this a high-value target for initial access.
Federal civilian agencies had a remediation due date of 2023-05-12.
What's Vulnerable
Per the NVD CPE configuration, the following PaperCut NG and PaperCut MF versions are affected:
- 15.0 up to (but not including) 20.1.7
- 21.0.0 up to (but not including) 21.2.11
- 22.0.0 up to (but not including) 22.0.9
The original ZDI disclosure references PaperCut NG 22.0.5 (Build 63914) as the confirmed vulnerable build.
Patch Status
PaperCut has published guidance and fixed builds in advisory PO-1216 and PO-1219. Fixed versions are 20.1.7, 21.2.11, and 22.0.9 (or later) on the respective branches.
CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.