Active Exploitation of Vulnerabilities Found in PaperCut MF/NG Servers

UPDATED: 5/3/2023

PaperCut, a print management software developer, released a March 2023 update that patched critical and high vulnerabilities found in PaperCut MF/NG: CVE-2023–27350 and CVE-2023–27351, respectively. The March 2023 security advisory was updated on April 19 to include information regarding the active exploitation of unpatched PaperCut MF/NG servers and a separate April 20 blog post provides additional details. PaperCut software is used by many corporations, government agencies, and educational institutions.

• CVE-2023-27350 is a remote code execution flaw impacting all versions of PaperCut MF/NG versions 8.0 or later on all operating system (OS) platforms for both application and site servers. This vulnerability could be exploited to bypass authentication and execute code.
• CVE-2023-27351 is an unauthenticated information disclosure flaw impacting all PaperCut MF/NG version 15.0 or later on all OS platforms for application servers. This vulnerability could be exploited to bypass authentication on the system.

On April 26, Microsoft published a series of tweets detailing their observation of the Cl0p and Lockbit ransomware groups' use of exploiting the PaperCut vulnerabilities to establish initial network access in their ransomware operations. Cl0p confirmed that they have targeted PaperCut servers since April 13. 

The NJCCIC advises users and administrators to upgrade PaperCut MF and PaperCut NG to versions 20.1.7, 21.2.11, and 22.0.9 or later. PaperCut versions older than 19 are considered end-of-life and will not receive updates; these users are encouraged to purchase updated licenses to ensure their servers are supported. The updated March 2023 security advisory also includes steps to help determine if a server may have been compromised. The impact and remediation steps for compromised PaperCut servers will vary greatly depending on network architecture and extent of unauthorized access.