PaperCut, a print management software developer, released a March 2023 update that patched critical and high vulnerabilities found in PaperCut MF/NG: CVE-2023–27350 and CVE-2023–27351, respectively. The March 2023 security advisory was updated on April 19 to include information regarding the active exploitation of unpatched PaperCut MF/NG servers and a separate April 20 blog post provides additional details. PaperCut software is used by many corporations, government agencies, and educational institutions.
|CVE-2023-27350 is a remote code execution flaw impacting all versions of PaperCut MF/NG versions 8.0 or later on all operating system (OS) platforms for both application and site servers. This vulnerability could be exploited to bypass authentication and execute code. CVE-2023-27351 is an unauthenticated information disclosure flaw impacting all PaperCut MF/NG version 15.0 or later on all OS platforms for application servers. This vulnerability could be exploited to bypass authentication on the system. |
Users and administrators to upgrade PaperCut MF and PaperCut NG to versions 20.1.7, 21.2.11, and 22.0.9 or later. PaperCut versions older than 19 are considered end-of-life and will not receive updates; these users are encouraged to purchase updated licenses to ensure their servers are supported. The updated March 2023 security advisory also includes steps to help determine if a server may have been compromised. The impact and remediation steps for compromised PaperCut servers will vary greatly depending on network architecture and extent of unauthorized access.