Cyber Resilience

CVE-2023-39143

CriticalPublic PoC

Published: 04 August 2023

Published
04 August 2023
Modified
05 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8818 99.5th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-39143 is a critical-severity Path Traversal (CWE-22) vulnerability in Papercut Papercut Mf. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-39143 is a path traversal vulnerability affecting PaperCut NG and PaperCut MF versions prior to 22.1.3 running on Windows. The flaw, tracked under CWE-22, permits unauthorized upload, read, or deletion of arbitrary files on the server and can result in remote code execution when the commonly enabled external device integration feature is active. It carries a CVSS 3.1 base score of 9.8.

Unauthenticated attackers with network access can exploit the issue to achieve full compromise of the affected PaperCut installation, including arbitrary file operations that lead to code execution. No user interaction or credentials are required, and the attack surface is exposed by default in typical deployments.

Vendor guidance from PaperCut directs administrators to upgrade immediately to version 22.1.3 or later. Horizon3 research publications provide additional technical details on the flaw and recommended defensive steps.

The vulnerability maintains a high EPSS score with a recorded peak of 0.9209 and current value of 0.8818, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).

CWE(s)

Related Threats

Threat-Actor AttributionAI

Cl0p (G0092)aka TA505
Cl0p ransomware exploited PaperCut NG/MF path-traversal RCE (incl. CVE-2023-39143) in July 2023 mass campaign per Mandiant, Sophos, and Unit 42 reporting.

Affected Assets

papercut
papercut mf
≤ 22.1.3
papercut
papercut ng
≤ 22.1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References