An exploit has been released for a critical vulnerability in the widely used print management software PaperCut, which is used by more than 700,000 organizations worldwide and has over 100 million installs. The vulnerability is tracked as CVE-2023–27350 and has a CVSS v3 severity score of 9.8 out of 10. The flaw can be exploited by a remote attacker to bypass authentication on affected installations of PaperCut and execute arbitrary code. A second vulnerability also exists which allows the theft of sensitive information such as usernames, full names, email addresses, and other data under certain conditions. The flaw is tracked as CVE-2023-27351 and has a CVSS severity score of 8.2.
PaperCut patched the vulnerabilities in March; however, patching has been slow. Huntress said around 1,000 of its customers have PaperCut installed, and despite the patch being available for a month, there are still around 900 servers with the vulnerable version of the software. In order for the flaw to be exploited, the software needs to be exposed to the Internet, which it often is. Exploiting the flaw involves adding malicious entries to a template printer script, which is present in default installations. Those entries disable security sandboxing allowing access to be gained to the Java runtime, which will allow code to be remotely executed on the main server.
The flaw has already been exploited by a threat actor to install remote management software on unpatched servers. According to Huntress, after installing the remote management software, the threat actor deployed TrueBot malware, which is associated with the Silence threat group. The Silence group has links to the Clop ransomware group and Clop used Truebot in its attacks on Fortra’s GoAnywhere MFT solution, which resulted in data theft and the attempted extortion of 130 companies in January/February. Now an exploit for the flaw is in the public domain, exploitation is expected to accelerate.
Organizations that use PaperCut are advised to update the software immediately to prevent exploitation. Both vulnerabilities have been addressed in PaperCut MF and NG versions 20.1.7, 21.2.11, and PaperCut version 22.0.9.