CVE Exploit Alert: CVE-2023-27351 | HIGH | CVSS 7.5 | PaperCut NG/MF

by

HIGH

Alert Date: 2026-05-02

Severity Overview

  • CVSS Base Score: 7.5 (HIGH)
  • EPSS Score: 87.0% probability of exploitation in 30 days — higher than 99% of all scored CVEs
  • CVSS Version: 3.1
  • Priority: Elevated priority

Summary

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.

What the Attack Looks Like

How it works: The application’s authentication mechanism can be bypassed or confused, allowing an attacker to prove identity without valid credentials or impersonate another user.

If successfully exploited: High confidentiality impact means sensitive data — credentials, tokens, business records — may be directly readable by the attacker. CISA has confirmed known ransomware campaign use for this CVE. This is not a theoretical risk — organizations with unpatched systems should treat this as an active incident response scenario, not just a patch management item.

Analyst Takeaway

The attack is launched over the network (remotely exploitable without physical access) and no authentication is required. This vulnerability is already in CISA KEV, which means exploitation has been confirmed in the wild — treat this as active risk, not theoretical exposure. CISA indicates known ransomware campaign use, which raises the likelihood of rapid operational impact if vulnerable systems remain exposed. In parallel with patching, defenders should review external exposure, hunt for signs of exploitation, and validate whether compensating controls are in place for vulnerable assets.

Detection Guidance

  • CWE-287 — Improper Authentication

    • Authentication flow gaps: Look for requests reaching authenticated-only endpoints or API routes without a valid preceding authentication event. In most applications, every privileged request should have a session token that maps back to a login event — gaps in this chain indicate bypass.
    • Unusual session creation: Search for sessions or tokens that appear without a corresponding login record. Also look for session tokens reused from new IPs immediately after creation.
    • Administrative interface access: Monitor access to admin consoles, management APIs, or sensitive configuration endpoints from source IPs outside your expected admin IP ranges. Authentication bypass frequently targets these high-value endpoints first.
    • Timing anomalies: Some authentication bypass vulnerabilities are detectable by the request timing — bypassed requests may respond faster than legitimate authenticated requests (no credential verification overhead).

Recommended Actions

Immediate (0–24 Hours)

  • Inventory: Identify all systems running PaperCut NG/MF. Include production, staging, dev, and cloud environments — untracked instances are the most likely to remain unpatched.
  • Validate internet-facing exposure: Determine which of the affected systems are reachable from the public internet. Prioritize these for immediate remediation or compensating controls.
  • Apply compensating controls now: For systems that cannot be patched immediately, implement temporary mitigations: restrict access via firewall rules or ACLs, add WAF rules if applicable, disable or isolate the vulnerable component if feasible without breaking critical operations.
  • Escalate and prepare for incident response: CISA has confirmed ransomware campaign use. Notify your security leadership, ensure backup integrity is validated and tested, and confirm your IR playbook is ready to activate if exploitation is detected.

Remediation

  • Apply the vendor patch: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
  • CISA directive deadline: 2026-05-04 — this is the mandatory deadline for US federal civilian agencies under BOD 22-01. All organizations should treat this date as a strong target regardless of federal mandate.
  • Verify remediation: After patching, confirm the correct version is installed on all affected hosts. Run a vulnerability scan or use your asset management tooling to verify — do not rely solely on change tickets.

Detection Coverage

  • Unauthenticated exploitation monitoring: Because this vulnerability requires no authentication, internet-facing scanning and exploitation attempts may begin within hours of public disclosure. Ensure alerting is in place before the end of the day.
  • Threat intelligence feeds: Monitor your TI feeds and vendor advisory channels for published indicators of compromise (IOCs), proof-of-concept exploit releases, or active campaign reporting associated with this CVE — these should trigger an immediate hunt even if no internal alerts have fired.

Vulnerability Details

  • CVE: CVE-2023-27351
  • Vendor: PaperCut
  • Product: NG/MF
  • CWE: CWE-287
  • Date Added to CISA KEV: 2026-04-20
  • CISA Due Date: 2026-05-04
  • Known Ransomware Campaign Use: Known
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Additional Notes

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 ; https://nvd.nist.gov/vuln/detail/CVE-2023-27351

Stay Informed

Subscribe to ThreatPodium

Get CVE exploit alerts and daily threat intelligence reports the moment they publish — no account required.