Exploit released for 9.8-severity PaperCut flaw already under attack

Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word "exploit"
Getty Images

reader comments
20 with

Exploit code for a critical printer software vulnerability became publicly available on Monday in a release that may exacerbate the threat of malware attacks that have already been underway for the past five days.

The vulnerability resides in print management software known as PaperCut, which the company’s website says has more than 100 million users from 70,000 organizations. When this post went live, the Shodan search engine showed that close to 1,700 instances of the software were exposed to the Internet.

World map showing locations of PaperCut installations.
World map showing locations of PaperCut installations.

Last Wednesday, PaperCut warned that a critical vulnerability it patched in the software in March was under active attack against machines that had yet to install the March update. The vulnerability, tracked as CVE-2023–27350, carries a severity rating of 9.8 out of a possible 10. It allows an unauthenticated attacker to remotely execute malicious code without needing to log in or provide a password. A related vulnerability, tracked as CVE-2023–27351 with a severity rating of 8.2, allows unauthenticated attackers to extract usernames, full names, email addresses, and other potentially sensitive data from unpatched servers.

Two days after PaperCut revealed the attacks, security firm Huntress reported that it found threat actors exploiting CVE-2023-27350 to install two pieces of remote management software—one known as Atera and the other Syncro—on unpatched servers. Evidence then showed that the threat actor used the remote management software to install malware known as Truebot. Truebot is linked to a threat group known as Silence, which has ties with the ransomware group known as Clop. Previously Clop used Truebot in in-the-wild attacks that exploited a critical vulnerability in software known as GoAnywhere.

analysis of the vulnerabilities, along with proof-of-concept exploit code for the more severe one. Similar to the PoC exploit described by Huntress, it uses the authentication bypass vulnerability to tamper with the built-in scripting functionality and execute code.

On Friday, Huntress reported there were roughly 1,000 Windows machines with PaperCut installed in the customer environments it protects. Of those, roughly 900 remained unpatched. Of the three macOS machines it monitored, only one was patched. Assuming the numbers are representative of PaperCut’s larger install base, the Huntress data suggests that thousands of servers remain under threat of being exploited. As noted earlier, close to 1,700 servers are easy to find exposed to the Internet. Additional sleuthing might be able to find more still.

Any organization using PaperCut should ensure it’s using PaperCut MF and NG versions 20.1.7, 21.2.11, and 22.0.9. PaperCut and Huntress also provide workarounds for organizations that aren’t able to update right away. Huntress and Horizon3 also provide indicators PaperCut users can check to determine if they have been exposed to exploits.

Article Tags:
Article Categories: