Security News > 2023 > April > PoC exploit for abused PaperCut flaw is now public (CVE-2023-27350)

An unauthenticated RCE flaw in widely-used PaperCut MF and NG print management software is being exploited by attackers to take over vulnerable application servers, and now there's a public PoC exploit.

According to PaperCut, the attacks seem to have started on April 14, 2023 - a month and a week after the software maker released new PaperCut MF and NG versions that fixed CVE-2023-27350 and CVE-2023-27351, an unauthenticated information disclosure flaw that could allow attackers to access sensitive user information without authentication.

CVE-2023-27350 affects PaperCut MF or NG version 8.0 or later; CVE-2023-27351 affects PaperCut MF or NG version 15.0 or later.

"The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. In addition to our email and in-app announcements to all customers, we've been using this list to proactively reach out to potentially exposed customers via multiple means," the company said.

Huntress researchers have shared on Friday that there are some 1,800 publicly exposed PaperCut servers that can be reached via port 9191, and that vulnerable servers are being exploited and have Atera and/or Syncro remote management and maintenance software installed on them, allowing attackers to achieve persistent remote access and code execution capabilities.

"While the ultimate goal of the current activity leveraging PaperCut's software is unknown, these links to a known ransomware entity are concerning. Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment."

News URL

https://www.helpnetsecurity.com/2023/04/25/cve-2023-27350-poc/