Cyber Resilience

CVE-2023-27350

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 20 April 2023

Published
20 April 2023
Modified
27 October 2025
KEV Added
21 April 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9426 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27350 is a critical-severity Improper Access Control (CWE-284) vulnerability in Papercut Papercut Mf. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-27350 is an authentication bypass vulnerability in PaperCut NG version 22.0.5 (Build 63914) that stems from improper access control in the SetupCompleted class. The flaw permits remote attackers to reach administrative functionality without supplying credentials, ultimately allowing code execution with SYSTEM privileges on the underlying host. It carries a CVSS 3.1 base score of 9.8 and was originally reported as ZDI-CAN-18987.

Unauthenticated attackers on the network can directly exploit the issue to bypass login checks and run arbitrary commands in the SYSTEM context. Public exploit code targeting this vector has been published, confirming that no prior authentication or user interaction is required for successful compromise.

References list multiple PacketStorm entries containing proof-of-concept scripts for authentication bypass and remote code execution against PaperCut NG/MF 22.0.4 and later builds, along with a Sophos advisory documenting observed increases in active exploitation attempts shortly after disclosure.

The associated EPSS score currently stands at 0.9426 with a recorded peak of 0.9724, reflecting sustained and widespread exploitation interest.

EU & UK References

Vulnerability details

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control.…

more

An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

CWE(s)
KEV Date Added
21 April 2023

Related Threats

Threat-Actor AttributionAI

Cl0p
Cl0p ransomware exploited PaperCut NG zero-day CVE-2023-27350 (CISA KEV + Sophos 2023 reporting).

Affected Assets

papercut
papercut mf
8.0 — 20.1.7 · 21.0.0 — 21.2.11 · 22.0.0 — 22.0.9
papercut
papercut ng
8.0 — 20.1.7 · 21.0.0 — 21.2.11 · 22.0.0 — 22.0.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved access authorizations on the SetupCompleted class, blocking the unauthenticated bypass that leads to SYSTEM code execution.

prevent

Requires timely remediation of the known PaperCut NG 22.0.5 flaw (ZDI-CAN-18987) before public exploits are used in the wild.

prevent

Limits privileges so that even a successful authentication bypass cannot immediately yield arbitrary code execution in the SYSTEM context.

References