Vulnerability in Papercut Ng
CVE-2023-27350
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompl…
EPSS: 0.943 (99.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Papercut Ng — versions 22.0.5 (Build 63914)
Weakness classification (CWE)
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Known ransomware campaign use: yes.
Public proof-of-concept exploits
References
- www.zerodayinitiative.com/advisories/ZDI-23-233/
- www.papercut.com/kb/Main/PO-1216-and-PO-1219
- packetstormsecurity.com/files/171982/PaperCut-MF-NG-Authentication-Bypass-Remot…
- packetstormsecurity.com/files/172022/PaperCut-NG-MG-22.0.4-Authentication-Bypas…
- news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blo…
- packetstormsecurity.com/files/172512/PaperCut-NG-MG-22.0.4-Remote-Code-Executio…
- packetstormsecurity.com/files/172780/PaperCut-PaperCutNG-Authentication-Bypass…
Frequently asked questions
- What is CVE-2023-27350?
- CVE-2023-27350 is a critical-severity vulnerability in Papercut Ng, classified under Improper Access Control. CVSS score: 9.8/10. Published 2023-04-20.
- How severe is CVE-2023-27350?
- Critical severity. CVSS v3 base score is 9.8 out of 10.
- Is CVE-2023-27350 known to be exploited?
- Yes. CVE-2023-27350 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-04-21), indicating it is being actively exploited. 70 public proof-of-concept repositories are indexed.