Login Sign Up

CVE-2023-27350

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2023-27350 is an authentication bypass vulnerability in PaperCut NG/MF that allows unauthenticated remote attackers to gain SYSTEM-level access and execute arbitrary code. This affects PaperCut NG/MF installations with the vulnerable SetupCompleted class. Organizations running affected PaperCut versions are at immediate risk of complete system compromise.

💻 Affected Systems

Products:
  • PaperCut NG
  • PaperCut MF
Versions: PaperCut NG/MF versions 22.0.5 (Build 63914) and earlier, specifically 22.0.4 and 22.0.5
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. The SetupCompleted class improperly handles access control regardless of configuration.

📦 What is this software?

Papercut Mf by Papercut

View all CVEs affecting Papercut Mf →

Papercut Mf by Papercut

View all CVEs affecting Papercut Mf →

Papercut Mf by Papercut

View all CVEs affecting Papercut Mf →

Papercut Ng by Papercut

View all CVEs affecting Papercut Ng →

Papercut Ng by Papercut

View all CVEs affecting Papercut Ng →

Papercut Ng by Papercut

View all CVEs affecting Papercut Ng →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with SYSTEM privileges, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Unauthenticated attackers gain administrative access to PaperCut, install malware, steal credentials, and pivot to other systems.

🟢

If Mitigated

Limited impact if network segmentation, strict firewall rules, and endpoint protection prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Directly exploitable without authentication from the internet, making exposed instances prime targets.
🏢 Internal Only: HIGH - Even internally, any attacker on the network can exploit this without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts and proof-of-concepts exist. Actively exploited in the wild since April 2023 with ransomware groups leveraging it.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PaperCut NG/MF version 22.0.6 or later

Vendor Advisory: https://www.papercut.com/kb/Main/Security-Bulletin-May-2023/

Restart Required: Yes

Instructions:

1. Download latest version from PaperCut website. 2. Backup configuration and database. 3. Stop PaperCut services. 4. Install update. 5. Restart services. 6. Verify functionality.

🔧 Temporary Workarounds

Network Isolation

all

Block external access to PaperCut web interface (default ports 9191, 9192)

# Firewall rule to block port 9191/tcp and 9192/tcp from external networks

Access Restriction

all

Restrict PaperCut web interface to trusted IP addresses only

# Configure web server (Apache/Nginx/IIS) to allow only specific IP ranges

🧯 If You Can't Patch

  • Immediately isolate PaperCut servers from internet and restrict network access to management VLAN only
  • Implement strict network monitoring and IDS/IPS rules to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check PaperCut version in Admin interface > About, or run: java -jar papercut-print-log-archiver.jar --version

Check Version:

On server: cat /usr/local/papercut/server/bin/win64/application-server/version.txt (Linux) or check Windows service properties

Verify Fix Applied:

Confirm version is 22.0.6 or higher and attempt to access /setup/setupCompleted?completed=1 endpoint returns proper authentication requirement

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated access to /setup/setupCompleted endpoint
  • Unexpected administrative actions from unknown IPs
  • New user creation or privilege escalation

Network Indicators:

  • HTTP requests to /setup/setupCompleted?completed=1 without authentication
  • Unusual outbound connections from PaperCut server

SIEM Query:

source="papercut" AND (uri="/setup/setupCompleted" OR status=200 AND method=GET AND uri CONTAINS "setupCompleted")

📊 Metadata

CVE ID: CVE-2023-27350
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
Published: April 20, 2023
Last Updated: October 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27350, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)