Cyber Resilience

CVE-2024-1654

High

Published: 14 March 2024

Published
14 March 2024
Modified
23 January 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0415 88.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1654 is a high-severity Permissive List of Allowed Inputs (CWE-183) vulnerability in Papercut Papercut Mf. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-1654 is an improper access control issue that permits unauthorized write operations, potentially resulting in remote code execution. The flaw affects PaperCut print management software, as indicated by the vendor's March 2024 security bulletin.

An authenticated administrator who also possesses an internal system identifier and details of another valid user account can exploit the weakness over the network to achieve code execution with high impact to confidentiality, integrity, and availability. The CVSS 7.2 score reflects these requirements for high privileges and specific knowledge, limiting the attack to insiders or compromised admin sessions.

The referenced PaperCut security bulletin addresses the issue and provides mitigation guidance, including available patches and configuration recommendations for affected installations.

EPSS for the CVE rose from a low baseline to a peak of 0.0962 in December 2025 before receding to the current value of 0.0415, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

This vulnerability potentially allows unauthorized write operations which may lead to remote code execution. An attacker must already have authenticated admin access and knowledge of both an internal system identifier and details of another valid user to exploit this.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

papercut
papercut mf
≤ 20.1.10 · 21.0.0 — 21.2.14 · 22.0.0 — 22.1.5
papercut
papercut ng
≤ 20.1.10 · 21.0.0 — 21.2.14 · 22.0.0 — 22.1.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References