Urgent Security Alert: CISA Flags Critical Cisco and PaperCut Flaws Actively Exploited in the Wild
In a critical security update for IT administrators and security professionals, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The warnings concern widely used software from Cisco and PaperCut, both of which are confirmed to be under active attack by malicious actors.
Inclusion in the KEV catalog is not a theoretical warning; it signifies that these security flaws have a documented history of active exploitation. This elevates the need for immediate action from a best practice to a critical necessity for organizations of all sizes.
Critical Cisco ISE Flaw: Authentication Bypass (CVE-2023-20143)
The first vulnerability targets the Cisco Identity Services Engine (ISE), a foundational network administration product used for managing access control and security policies.
The flaw, tracked as CVE-2023-20143, is a high-severity authentication bypass vulnerability in the web-based management interface of Cisco ISE. The implications are severe: an unauthenticated attacker on the same network could exploit this flaw to create a new, privileged administrator account. This would give the attacker full control over the ISE system, allowing them to manipulate network access policies, steal sensitive data, and gain a persistent foothold in the corporate network.
- Vulnerability: CVE-2023-20143 – Authentication Bypass
- Affected Software: Cisco ISE versions 3.1.x and 3.2.x
- Impact: Full administrator access without prior authentication.
What You Need to Do:
Cisco released security patches to address this vulnerability in April 2023. It is imperative that all organizations using the affected versions of Cisco ISE apply the necessary updates immediately. Due to the proven exploitation of this flaw, delaying patches leaves your network’s core security controls dangerously exposed.
PaperCut Vulnerability Under Attack by Ransomware (CVE-2023-27350)
The second alert focuses on a critical vulnerability in PaperCut NG and PaperCut MF, popular print management solutions used globally in corporate, educational, and government environments.
This vulnerability, identified as CVE-2023-27350, is a remote code execution (RCE) flaw that allows an unauthenticated attacker to bypass authentication and execute arbitrary code with SYSTEM-level privileges. This is a worst-case scenario, as SYSTEM privileges give an attacker complete control over the underlying server.
Disturbingly, this is not just a theoretical threat. Security researchers have confirmed that ransomware groups, including the notorious Clop and LockBit gangs, are actively exploiting this vulnerability to gain initial access to networks. Once inside, they deploy ransomware, exfiltrate data, and cause widespread operational disruption.
- Vulnerability: CVE-2023-27350 – Remote Code Execution
- Affected Software: PaperCut MF or NG versions 8.0 and later
- Impact: Complete system compromise by unauthenticated attackers.
Immediate Steps for Protection:
PaperCut released patches in March 2023. If your organization uses PaperCut MF or NG, you must:
- Identify all vulnerable servers immediately.
- Update to a patched version as recommended in PaperCut’s official security advisory.
- Inspect your systems for signs of compromise, as attackers may have already breached your network before the patch was applied. Look for unusual scripts, new user accounts, or unexpected network traffic.
Why CISA’s KEV Catalog Demands Your Attention
The KEV catalog is CISA’s definitive list of security flaws that pose a clear and present danger to organizations. While federal agencies are bound by directive to patch these vulnerabilities by a set deadline, the catalog serves as a critical security baseline for all private and public sector organizations.
When a vulnerability is added to the KEV, it means attackers have already developed working exploits and are actively using them in real-world campaigns. This shifts the risk from potential to probable, making immediate remediation a non-negotiable priority.
Your Next Steps: A Proactive Security Posture
The exploitation of these Cisco and PaperCut vulnerabilities is a stark reminder that reactive security is no longer sufficient. To protect your organization, you must adopt a proactive and vigilant stance.
- Prioritize Patch Management: Ensure you have a robust system for identifying and applying critical security patches as soon as they become available.
- Monitor the KEV Catalog: Regularly review CISA’s KEV catalog to stay informed about the threats that matter most.
- Assume Compromise: For vulnerabilities under active attack, it’s wise to investigate for signs of intrusion even after patching.
- Strengthen Defenses: Implement network segmentation to limit the “blast radius” if a system is compromised, and ensure you have secure, offline backups to aid in recovery from a potential ransomware attack.
The threat is real and active. Do not delay in addressing these vulnerabilities to safeguard your network integrity and data security.
Source: https://securityaffairs.com/180494/security/u-s-cisa-adds-cisco-ise-and-papercut-ng-mf-flaws-to-its-known-exploited-vulnerabilities-catalog.html
