DIVD-2023-00020 - PaperCut MF/NG Authentication Bypass
| Our reference | DIVD-2023-00020 | 
| Case lead | Ralph Horn | 
| Author | Max van der Horst | 
| Researcher(s) | 
 | 
| CVE(s) | |
| Product | PaperCut NG and PaperCut MF | 
| Versions | 22.0.5 (Build 63914) | 
| Recommendation | Upgrade your PaperCut MF/NG version to one of the listed fixed versions. | 
| Status | Closed | 
| Last modified | 09 Jul 2023 21:41 CEST | 
Summary
PaperCut NG/MF installations of version 22.05 (Build 63914) contain an authentication bypass vulnerability that allow remote attackers to log into the system without authentication. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM on the underlying Operating System. There is evidence that this vulnerability is actively being exploited in the wild.
What you can do
Upgrade your PaperCut NG/MF version to versions 20.1.7, 21.2.11, 22.0.9 or higher to fix this vulnerability. Find steps to upgrade in PaperCuts advisory. Because this vulnerability is likely being actively exploited, upgrading is highly advised.
What we are doing
DIVD is currently scanning for vulnerable PaperCut systems connected to the Internet. Owners of vulnerable systems receive a notification with instructions to update their system.
Timeline
| Date | Description | 
|---|---|
| 20 Apr 2023 | DIVD starts researching the vulnerability. | 
| 21 Apr 2023 | DIVD conducts first scan. | 
| 24 Apr 2023 | DIVD performs first mailrun. | 
| 26 Apr 2023 | Lockbit, Clop and Iranian APTs confirmed by Microsoft to exploit in wild. | 
| 04 May 2023 | Bypass for patch found by VulnCheck, DIVD starts investigation on new fingerprint. | 
More information
- CVE-2023-27350
- CVE-2023-27351
- PaperCut Advisory
- Huntress Analysis
- BleepingComputer on Threat Actors
- VulnCheck Patch Bypass