CVE-2023-27350
Published: 20 April 2023
Summary
CVE-2023-27350 is a critical-severity Improper Access Control (CWE-284) vulnerability in Papercut Papercut Mf. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-27350 is an authentication bypass vulnerability in PaperCut NG version 22.0.5 (Build 63914) that stems from improper access control in the SetupCompleted class. The flaw permits remote attackers to reach administrative functionality without supplying credentials, ultimately allowing code execution with SYSTEM privileges on the underlying host. It carries a CVSS 3.1 base score of 9.8 and was originally reported as ZDI-CAN-18987.
Unauthenticated attackers on the network can directly exploit the issue to bypass login checks and run arbitrary commands in the SYSTEM context. Public exploit code targeting this vector has been published, confirming that no prior authentication or user interaction is required for successful compromise.
References list multiple PacketStorm entries containing proof-of-concept scripts for authentication bypass and remote code execution against PaperCut NG/MF 22.0.4 and later builds, along with a Sophos advisory documenting observed increases in active exploitation attempts shortly after disclosure.
The associated EPSS score currently stands at 0.9426 with a recorded peak of 0.9724, reflecting sustained and widespread exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-31126
Vulnerability details
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control.…
more
An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
- CWE(s)
- KEV Date Added
- 21 April 2023
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved access authorizations on the SetupCompleted class, blocking the unauthenticated bypass that leads to SYSTEM code execution.
Requires timely remediation of the known PaperCut NG 22.0.5 flaw (ZDI-CAN-18987) before public exploits are used in the wild.
Limits privileges so that even a successful authentication bypass cannot immediately yield arbitrary code execution in the SYSTEM context.