CVE-2023-27350

What is PaperCut?

PaperCut MF (Managed Fax) and PaperCut NG (Next Generation) are widely used print management software platforms deployed in universities, schools, hospitals, government agencies, and enterprises worldwide. PaperCut runs as a Windows service on print servers, managing user print quotas, print job logging, secure print release, and billing. It provides a web-based administration interface and integrates with Active Directory for user authentication. In educational environments especially, PaperCut servers often run with SYSTEM privileges and have broad access to print infrastructure — making a compromise capable of affecting the entire printing environment of a large institution.

Overview

CVE-2023-27350 is a critical improper access control vulnerability in PaperCut MF and PaperCut NG that allows an unauthenticated attacker to access the application's internal SetupCompleted administrative endpoint and execute arbitrary code as SYSTEM on the PaperCut server. PaperCut quietly patched it in March 2023 without a CVE assignment; researchers at Horizon3.ai identified the vulnerability by analyzing the patch in April 2023 and published a technical write-up that triggered immediate mass exploitation. CISA added it to KEV the following day. Clop (Lace Tempest) and LockBit ransomware operators were confirmed exploiting it within days.

Affected Versions

Technical Details

CWE-284 (Improper Access Control). PaperCut's web application includes a SetupCompleted class/endpoint used during initial product configuration and setup. This endpoint was not properly restricted after setup completion — an unauthenticated external attacker can access it directly via HTTP. The SetupCompleted endpoint allows invocation of administrative functions including the ability to configure and trigger external script execution.

By accessing the SetupCompleted endpoint without authentication, an attacker can:

1. Enable PaperCut's built-in "print script" or "user sync" script functionality
2. Upload or specify an attacker-controlled script path
3. Trigger execution of the script in the context of the PaperCut Windows service — which runs as SYSTEM

This provides OS command execution as SYSTEM on the Windows server hosting PaperCut, with full access to the filesystem, Active Directory via the system account, and all print jobs and data processed through PaperCut.

Discovery

The vulnerability was identified by Horizon3.ai researchers who performed patch-diffing analysis on PaperCut's March 2023 update. Their technical write-up, published April 18, 2023, identified the SetupCompleted bypass and demonstrated unauthenticated RCE, triggering near-immediate exploitation by threat actors who had been monitoring for PaperCut security issues.

Exploitation Context

CVE-2023-27350 was exploited at scale by multiple ransomware groups within days of Horizon3.ai's disclosure:

Clop (Lace Tempest / TA505): Microsoft documented Clop operators exploiting PaperCut servers to deploy the TrueBot malware and ultimately Clop ransomware. Clop had been responsible for the simultaneous MOVEit campaign and actively sought enterprise file-handling software vulnerabilities.

LockBit: Also documented exploiting CVE-2023-27350 as an initial access vector, particularly against educational institutions where PaperCut is heavily deployed.

Universities were disproportionately affected — PaperCut has high penetration in higher education, and university IT environments often have limited 24/7 monitoring. Multiple universities disclosed incidents attributable to CVE-2023-27350 exploitation.

Remediation

1. Upgrade PaperCut MF to version 22.0.9 or later; upgrade PaperCut NG to version 21.4.9 or later immediately.
2. As an emergency workaround if patching cannot be done immediately: restrict external access to the PaperCut admin web interface to trusted internal IP ranges only — block port 9191/9192 from internet-accessible networks.
3. Check PaperCut application logs (applicationServer.log) for unauthorized access to /app or SetupCompleted endpoints from unexpected IPs, particularly around and after April 18, 2023.
4. Look for evidence of script execution in PaperCut's scripting directories — unauthorized scripts in the PaperCut scripting paths indicate exploitation.
5. Review Windows system for post-exploitation indicators: new local admin accounts, TrueBot malware signatures, unexpected scheduled tasks, or lateral movement tools (Cobalt Strike, Mimikatz).
6. Rotate all service account credentials used by PaperCut and review AD permissions for PaperCut service accounts.