Connect with us

Hi, what are you looking for?


Malware & Threats

Huntress: Most PaperCut Installations Not Patched Against Already-Exploited Security Flaw

Researchers warn that majority of Windows and macOS PaperCut installations still vulnerable to critical vulnerability already exploited in malware attacks.

Most Windows and macOS PaperCut installations have not been patched against a critical-severity vulnerability already exploited in attacks, according to a warning from endpoint and response security firm Huntress.

The security defect, tracked as CVE-2023-27350 (CVSS 9.8/10), is described as an improper access control bug in the PaperCut MF/NG print management system. Attackers can exploit the flaw to bypass authentication and execute arbitrary code remotely, with the privileges of the ‘System’ user.

In March 2023, PaperCut patched the vulnerability with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9. Last week, the company warned that the issue has been exploited in malicious attacks, urging customers to update installations immediately.

Despite the urgency to update, however, most PaperCut MF/NG customers have yet to apply the available patches, Huntress said in a new report.

In the environments it protects, Huntress has identified more than 1,000 Windows hosts with PaperCut installed. Among them, there are over 900 vulnerable versions, spread across about 700 organizations.

The company also identified three macOS hosts with PaperCut Server installed and says that two of them are running vulnerable versions. While PaperCut installations should not be accessible from the internet, a Shodan search shows that there are at least 1,800 publicly accessible PaperCut servers.

In the first attacks observed by Huntress, the attackers deployed copies of the legitimate Atera and Syncro remote management and maintenance (RMM) applications for persistent access to the vulnerable systems.

Advertisement. Scroll to continue reading.

While analyzing a domain observed in these attacks, Huntress researchers identified a Windows DLL that proved to be a variant of the Truebot malware, a post-exploitation tool linked to Silence, a threat actor known to be associated with Russian hacking group TA505 – the threat actor behind the Cl0p ransomware.

While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning. Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment,” Huntress notes.

The security firm also performed an analysis of vulnerable versions of PaperCut MF/NG and discovered that, once the print management solution has been installed, authentication can be bypassed by simply navigating to the ‘SetupCompleted’ page.

Without knowing any credentials, an attacker could exploit the bug to log in as an administrator, gaining access to all configurations and settings. The attacker could then make several tweaks to disable PaperCut MF/NG’s sandbox and have Java code executed on the server.

The cybersecurity firm has created a working proof-of-concept (PoC) that demonstrates both how authentication can be bypassed and how code can be executed remotely on vulnerable PaperCut servers.

PaperCut has shared additional information about the vulnerability and its exploitation, clarifying that it first learned about the attacks on April 17, and the earliest known activity potentially linked to the flaw was seen on April 13.

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added the PaperCut MF/NG vulnerability to its Known Exploited Vulnerabilities list. 

*Updated to add one paragraph specifying the date when exploitation started. An earlier version of the article incorrectly stated that exploitation started before PaperCut released a patch.

Related: GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks

Related: Russia-Linked TA505 Back at Targeting Financial Institutions

Related: FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.