June 6, 2023

Researchers have found a method to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections.

The vulnerability tracked as CVE-2023-27350, the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.

The flaw was patched on March, 2023. The first signs of active exploitation emerged on April 13, 2023. Earlier researchers from Horizon3.ai published a post exploiting PoC.


VulnCheck has published a new proof-of-concept exploit that sidesteps existing detection signatures by leveraging the fact that PaperCut NG and MF offer multiple paths to code execution.

The public exploits for the flaw use the PaperCut printer scripting interface to either execute Windows commands  or drop a malicious JAR file. Both approaches leave distinct footprints in the Windows System Monitor service and the server’s log file.

The new exploitation abuses the print management software’s “User/Group Sync” feature, which makes it possible to synchronize user and group information from Active Directory, LDAP, or a custom source.

The PoC exploit depends on the authentication methods

  • set as “/usr/sbin/python3” for Linux
  • set as “C:\Windows\System32\ftp.exe” for Windows.
  • All an attacker then needs to execute arbitrary code is to provide a malicious username and password during a login attempt.

The attack method could be exploited to launch a Python reverse shell on Linux or download a custom reverse shell hosted on a remote server in Windows without activating any of the known detections.

Attackers learn from defenders’ public detections, so it’s the defenders’ responsibility to produce robust detections that aren’t easily bypassed.

Leave a Reply

%d bloggers like this: