Threat actors are actively exploiting the critical vulnerabilities persist in the PaperCut MF/NG print management software. Once after successful exploitation, their aim is to install Remote management software and to take control of the systems.
The remote management software named Atera is used in more than than 70,000 companies globally, it has over 100 million active users. The vulnerabilities affecting the PaperCut MF/NG print management software are tracked as CVE-2023-27350, CVE-2023-27351
Threat actors can exploit these vulnerabilities to gain unauthorized access and execute arbitrary code on PaperCut servers that have been compromised. These flaws can be exploited without user interaction and are relatively easy to carry out, granting the attacker SYSTEM privileges.
Horizon3 has recently released technical information, and a proof-of-concept (PoC) exploit for CVE-2023-27350. Attackers can leverage this exploit to bypass authentication and execute arbitrary code on PaperCut servers that have not been patched.
During the analysis, experts at Horizon3 identified a JAR that contains the Setup Completed class in C:\Program Files\PaperCut NG\server\lib\pcng-server-web-19.2.7.jar
In the Setup Completed flow, the session of the anonymous user is unintentionally authenticated due to an error in the code. While this function is triggered only after a user’s password is validated via a login process. In web applications, this type of vulnerability is dubbed as session puzzling
A search in the Shodan search engine, shows 1700 PaperCut servers were exposed to the internet. PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9, and later releases, have addressed both vulnerabilities. it’s recommended to upgrade to the latest version