CVE-2023-27351 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2023-04-20

Added to CISA KEV: 2026-04-20 1096 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately upgrade PaperCut NG to version 22.0.9 or later which addresses this vulnerability
Review PaperCut NG access logs for suspicious authentication patterns or unauthorized access attempts
Consider temporarily restricting internet access to PaperCut NG servers until patching is complete
Implement network segmentation to limit exposure of PaperCut NG services
Monitor for unusual print job submissions or administrative actions that may indicate compromise

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2023-27351 is a critical security vulnerability affecting PaperCut print management software (specifically PaperCut NG and MF) ^[2]. It was widely exploited by threat actors shortly after its disclosure in April 2023 ^[1].

Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability saw significant exploitation in the wild beginning in mid-April 2023 ^[1].
Threat Actors: Microsoft and other security researchers attributed attacks leveraging this vulnerability to major ransomware operations, including Clop and LockBit ^[1] ^[3]. These groups used the vulnerability to gain initial access to corporate networks to steal data and deploy ransomware ^[1].

Attack Method and Requirements

Method: The vulnerability is an authentication bypass flaw located within the `SecurityRequestFilter` class of the application ^[2] ^[4]. It stems from an improper implementation of the authentication algorithm ^[2].
Requirements:

* Network vs. Local: It is a remote vulnerability, meaning it can be exploited over the network without requiring local access ^[2]. * User Interaction: No user interaction or authentication is required to exploit this flaw ^[2].

Impact and Access

Successful exploitation allows a remote, unauthenticated attacker to bypass authentication mechanisms entirely ^[2]. This typically grants the attacker administrative-level access to the PaperCut application server, which can then be used to execute arbitrary code, steal sensitive corporate data, or serve as a beachhead for further lateral movement within the victim's network ^[1].

Affected Versions and Mitigation

Affected Versions: The vulnerability primarily affected PaperCut NG and MF installations prior to the release of security patches in April 2023 ^[1].
Status: This issue has been patched. Organizations using PaperCut MF or NG were advised to upgrade to versions 20.1.7, 21.2.11, 22.0.9, or later to remediate this and related vulnerabilities ^[1].

Sources

Microsoft: Clop and LockBit ransomware behind PaperCut server hacks
Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.All organizations utilizing PaperCut MF or NG are strongly advised to upgrade to versions 20.1.7, 21.2.11, and 22.0.9 immediately and late…
NVD - CVE-2023-27351
An official website of the United States government Here's how you know ... CVE-2023-27351 Detail. Description. This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerabil…
202304281500_Cl0p and Lockbit New Data Breaches Sector...
New Data Breaches from Cl0p and Lockbit Ransomware Groups Executive Summary. Ransomware-as-a-service (RaaS) groups Cl0p and Lockbit recently conducted several distinct attacks, exploiting three known vulnerabilities (CVE-2023-27351, CVE-2023-27350, and CVE-2023-0669).“National Vulnerability Database…
This vulnerability allows remote attackers to bypass... · CVE-2023 ...
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million ... Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper impl…

🔴 CVE-2023-27351