CVE-2023-27351

What is PaperCut?

PaperCut NG and PaperCut MF are widely deployed print management platforms used by universities, schools, hospitals, law firms, and enterprises worldwide to track, control, and charge for print jobs. The Application Server web interface — exposed on TCP port 9191/9192 — is the central management console where administrators configure printers, manage user accounts, and enforce print policies. Because PaperCut typically has access to user directory data (Active Directory, LDAP, Google Workspace, Microsoft 365), its database is a valuable reconnaissance target: it stores usernames, email addresses, office/department details, card numbers, and internal password hashes.

Overview

CVE-2023-27351 is a pre-authentication information disclosure vulnerability in PaperCut NG and MF. The flaw exists within the SecurityRequestFilter class, which is responsible for enforcing authentication on incoming HTTP requests. Due to an improper implementation of the authentication algorithm (CWE-287), an unauthenticated remote attacker can bypass authentication checks and access protected API endpoints that expose sensitive user data.

This vulnerability was disclosed simultaneously with the far more severe CVE-2023-27350 (CVSS 9.8 — unauthenticated remote code execution), which overshadowed CVE-2023-27351 in initial coverage. Both were reported through Trend Micro's Zero Day Initiative (ZDI) program. PaperCut patched both vulnerabilities in early March 2023 before public disclosure.

Affected Versions

Versions prior to 15.0 are not affected by CVE-2023-27351 specifically (though they may be affected by CVE-2023-27350).

Technical Details

The vulnerability exists in the SecurityRequestFilter class, the HTTP request filter that controls authentication enforcement in PaperCut's web application. The filter is responsible for evaluating whether an incoming request is exempt from authentication (e.g., public assets) or requires a valid session.

The root cause is an improper implementation of the authentication decision algorithm — under certain conditions, the filter incorrectly classifies requests as unauthenticated-exempt, bypassing session checks entirely. No authentication token, cookie, or credential is needed; a specially crafted HTTP request directly reaches protected API endpoints.

What an attacker can retrieve without authentication:

• Usernames and full names from the user database
• Email addresses
• Office and department information
• Card numbers (used for physical card-swipe printing)
• Hashed passwords for internal PaperCut-created users (not for directory-synced accounts from AD/Microsoft 365/Google Workspace)

This data is useful for reconnaissance, phishing, lateral movement, and — if weak password hashes are cracked — credential reuse attacks.

Attack characteristics:

• Authentication required: None
• Attack complexity: Low
• Network-accessible: Yes (port 9191/9192)
• User interaction: None

Discovery

CVE-2023-27351 was discovered and reported through the Trend Micro Zero Day Initiative (ZDI) program under tracking number ZDI-CAN-19226 (published as ZDI-23-232). PaperCut received the report via ZDI and patched the vulnerability in early March 2023, approximately six weeks before ZDI published its advisory.

Exploitation Context

CVE-2023-27351 was added to CISA's KEV catalog in April 2026, over three years after its original disclosure. This delayed KEV listing indicates that exploitation was confirmed recently — likely in opportunistic attacks targeting unpatched legacy installations of PaperCut.

The companion vulnerability, CVE-2023-27350 (CVSS 9.8), saw immediate widespread exploitation starting April 14, 2023 — the same day ZDI published its advisory. Nation-state and ransomware actors rapidly developed working exploits for CVE-2023-27350, with multiple threat actor groups deploying tools including Cobalt Strike, DiceLoader, and TrueBot via unpatched PaperCut servers. The KEV listing of CVE-2023-27351 suggests it is now being used alongside or independent of CVE-2023-27350 in ongoing campaigns.

Its EPSS score stands at 0.877 (87.7th percentile), reflecting high likelihood of exploitation.

Remediation

1. Upgrade PaperCut MF or NG to version 22.0.9, 21.2.11, or 20.1.7 or any later release. Patched versions were available since March 8, 2023.
2. If immediate patching is not possible, restrict network access to the PaperCut Application Server (ports 9191/9192) to only trusted administrator IP addresses via firewall or network ACL.
3. Audit your PaperCut version — check via the web admin console at http://<server>:9191/app. Versions 22.0.9+ are fixed.
4. Review PaperCut Application Server logs for unexpected unauthenticated API requests targeting user data endpoints.
5. Consider whether user data exported from PaperCut (emails, usernames, card numbers) should be treated as potentially compromised if you were running a vulnerable version during the exposure window.