Urgent Security Alert: Critical PaperCut Vulnerability Under Active Attack
A critical security flaw in widely used print management software is being actively exploited by malicious actors, putting networks at severe risk. The vulnerability affects PaperCut MF and PaperCut NG and allows for unauthenticated remote code execution (RCE), potentially giving attackers complete control over affected servers.
Cybersecurity authorities are urging all organizations using this software to take immediate action to patch their systems to prevent compromise. This is not a theoretical threat; confirmed attacks are happening now.
What is the PaperCut Vulnerability?
The primary vulnerability is tracked as CVE-2023-27350, a critical flaw with a severity score of 9.8 out of 10. This security gap in the software’s setup process allows an attacker, without needing any credentials, to achieve Remote Code Execution (RCE) on an application server.
In simpler terms, this means a remote attacker can run any code they want on your server. This could lead to:
- Theft of sensitive documents and user data.
- Deployment of ransomware, holding your organization’s data hostage.
- Using the compromised server as a foothold to attack other systems on your network.
A second, less severe vulnerability, CVE-2023-27351, has also been identified. This flaw could allow an attacker to view sensitive information such as usernames, full names, and email addresses of other users. While less critical on its own, it can be combined with other tactics to facilitate more complex attacks.
The Threat is Real: Active Exploitation Confirmed
This vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog, a list of security flaws that are confirmed to be actively used in real-world attacks. Threat actors have been observed scanning the internet for unpatched PaperCut servers to exploit.
Once a server is compromised, attackers have been seen deploying malicious tools and attempting to steal credentials. Because print management servers often have high-level privileges and access to sensitive information, a successful breach can have devastating consequences for an entire organization.
Actionable Steps: How to Secure Your Systems Immediately
If your organization uses PaperCut MF or NG, it is crucial to act now. Do not assume your systems are safe. Follow these steps to protect your network.
Identify Vulnerable Versions: This vulnerability impacts PaperCut MF and NG versions 8.0 and later on all operating systems. You must check which version you are running.
Patch Immediately: This is the single most important step you can take. PaperCut has released patches to fix these vulnerabilities. You should upgrade to one of the following secure versions (or a later version as it becomes available):
- PaperCut MF & NG version 20.1.7
- PaperCut MF & NG version 21.2.11
- PaperCut MF & NG version 22.0.9
Check for Signs of Compromise: Even after patching, it is vital to check for evidence that your server may have already been compromised. Security researchers recommend looking for suspicious activity, including:
- Unusual outbound network connections from the PaperCut server.
- The presence of unfamiliar executable files or scripts in PaperCut directories.
- Unexpected creation of new local user accounts on the server.
Implement Mitigations if You Cannot Patch: While patching is strongly recommended, if you are unable to do so immediately, you should apply risk mitigation measures. This includes restricting all external access to the server at your network firewall and only allowing connections from trusted internal IP addresses. This is a temporary fix and does not replace the need to patch.
The ongoing exploitation of this PaperCut vulnerability highlights the critical importance of timely patch management. A failure to update can leave the door wide open for attackers, turning a manageable risk into a major security incident. Review your systems, apply the necessary updates, and ensure your organization is protected.
Source: https://www.bleepingcomputer.com/news/security/cisa-flags-papercut-rce-bug-as-exploited-in-attacks-patch-now/
