SafeBreach Coverage for US-CERT Alert (AA23-131A) – Exploit CVE-2023-27350 in PaperCut MF and NG

SafeBreach Coverage for US-CERT Alert (AA23-131A) – Exploit CVE-2023-27350 in PaperCut MF and NG





May 12, 2023



SafeBreach Coverage for US-CERT Alert (AA23-131A) – Exploit CVE-2023-27350 in PaperCut MF and NG










Author: Kaustubh Jagtap, Product Marketing Director, SafeBreach

On May 11th, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an advisory highlighting the active malicious exploitation of CVE-2023-27350 in PaperCut MF and PaperCut NG software by a threat actors including one known as the Bl00dy Ransomware Gang.  The US-CERT Alert (AA23-131A) Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG includes detailed information about this investigation (along with attacker TTPs and IOCs).

According to the advisory, attackers began exploiting the vulnerability in mid-April 2023, which allows an unauthenticated actor to execute malicious code remotely without credentials. The FBI even highlighted that in May 2023, a threat actor known as the Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers in the Education facilities sub-vertical.


Technical Details about CVE-2023-27350


This vulnerability allows a remote actor to bypass authentication and conduct remote code execution on the following affected installations of PaperCut:


  • Version 8.0.0 to 19.2.7

  • Version 20.0.0 to 20.1.6

  • Version 21.0.0 to 21.2.10

  • Version 22.0.0 to 22.0.8

  • PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls in the SetupCompleted Java class, allowing malicious actors to bypass user authentication and access the server as an administrator. After accessing the server, actors can leverage existing PaperCut software features for remote code execution (RCE).


    According to the advisory, there are currently two publicly known proofs of concept (others may be developed) for achieving RCE in vulnerable Pape ..

    Support the originator by clicking the read the rest link below.