Critical RCE Vulnerability Affecting PaperCut Software

PaperCut, a developer of print management software, is urging its customers to promptly update their software due to ongoing attacks exploiting vulnerabilities to infiltrate susceptible servers. Here’s what you need to know.

What is the situation?

The company produces print management solutions that are compatible with all leading brands and platforms, catering to major corporations, government entities and educational institutions. PaperCut’s official website states that they serve hundreds of millions of users across more than 100 nations.

On Jan. 10, 2023, PaperCut was alerted by security researchers to two significant and critical security weaknesses affecting their PaperCut MF/NG products.

The two vulnerabilities are:

• ZDI-CAN-18987 /CVE-2023-27350: Unauthenticated remote code execution (RCE) flaw affecting all PaperCut MF or NG versions 8.0 or later on all OS platforms, for both application and site servers. (CVSS v3.1 score: 9.8 – critical)
• ZDI-CAN-19226 / CVE-2023-27351: Unauthenticated information disclosure flaw affecting all PaperCut MF or NG versions 15.0 or later on all OS platforms for application servers. (CVSS v3.1 score: 8.2 – high)

Of the two vulnerabilities, PaperCut states they have evidence to suggest that unpatched servers vulnerable to ZDI-CAN-18987 are being exploited in the wild.

Organizations utilizing the software are urged to update to PaperCut MF and PaperCut NG versions 20.1.8, 21.2.11, and 22.0.9 and later.

Versions older than 19 have reached their “end of life” and are no longer supported – PaperCut will not offer security updates for these releases. PaperCut recommends organizations purchase an updated license if they use an older, unsupported version.

What is Nuspire doing?

Nuspire is not affected by this vulnerability and regularly threat hunts managed environments for suspicious activity.

What should I do?

Organizations that use the software are urged to update to PaperCut MF and PaperCut NG versions 20.1.8, 21.2.11, and 22.0.9 and later. If unable to update, it’s important to note that the first vulnerability has no workarounds, therefore, organizations must patch to mitigate. The second vulnerability can be mitigated by applying “Allow List” restrictions under “Options->Advanced->Security->Allow site server IP Addresses” and setting this to only allow IP addresses of verified site servers on your network.