TP-EXP-2023-0001 CVE-2023-27351 high Patched AI Draft

PaperCut NG/MF SecurityRequestFilter Authentication Bypass (CVE-2023-27351)

CVE CVE-2023-27351 Platform PaperCut NG and PaperCut MF (versions prior to 20.1.7, 21.2.11, 22.0.9) Type Authentication Bypass

Severity HIGH

Status Patched

Zero-Day No

Disclosed April 19, 2023

Patched April 19, 2023

Researcher Horizon3.ai (independent technical analysis, April 2023) CISA KEV Listed

Severity Assessment

Exploitability: 8.5/10
Impact: 6/10
Weaponization Risk: 7.5/10
Patch Urgency: 8/10
Detection Coverage: 5.5/10

Summary

CVE-2023-27351 is an improper authentication vulnerability in the SecurityRequestFilter class of PaperCut NG and PaperCut MF print management software. A remote, unauthenticated attacker can bypass authentication controls on the PaperCut web management interface to access user account data — including usernames, email addresses, card numbers linked to user accounts, and hashed passwords for internally created PaperCut accounts.

PaperCut disclosed and patched the vulnerability in April 2023 as part of advisory PO-1216, simultaneously with the higher-severity CVE-2023-27350 (unauthenticated remote code execution). Despite patch availability since 2023, CISA added CVE-2023-27351 to the Known Exploited Vulnerabilities catalog on April 20, 2026, confirming continued active exploitation. The required action deadline for U.S. federal civilian agencies was May 4, 2026.

PaperCut NG and PaperCut MF are widely deployed in enterprise, education, and government environments, making unpatched instances a persistent target for credential harvesting and follow-on exploitation.

Exploit Chain

CVE-2023-27351 exploits a flaw in the request filtering logic used to enforce authentication on the PaperCut web management interface. No authentication is required and no user interaction is needed.

Stage 1: Target Identification

The attacker identifies an internet-exposed PaperCut NG or PaperCut MF management interface (typically accessible on port 9191 or 443).

Stage 2: Authentication Bypass

The attacker sends a crafted HTTP request to a protected endpoint while manipulating headers or request parameters in a way that causes the SecurityRequestFilter class to incorrectly evaluate the authentication state as satisfied.

Stage 3: Information Disclosure

The server grants access to the protected endpoint without verifying credentials, returning user account data including usernames, email addresses, card numbers, and hashed passwords.

Stage 4: Follow-on Exploitation

The attacker uses harvested credentials and PII for follow-on attacks: credential stuffing, phishing, or leveraging the same access to exploit the higher-severity CVE-2023-27350 for remote code execution. CVE-2023-27351 is frequently considered alongside CVE-2023-27350 — both were disclosed and patched simultaneously in PaperCut advisory PO-1216.

Detection Guidance

Apply PaperCut MF/NG updates to version 20.1.7, 21.2.11, 22.0.9 or later; patches have been available since April 2023.
Review PaperCut access logs for unauthenticated requests to management interface endpoints that returned HTTP 200 responses, particularly requests not associated with known administrative IP addresses.
Audit all internal PaperCut user accounts; rotate passwords for internal accounts and treat any leaked hashed passwords as compromised.
Restrict PaperCut management interface exposure: block external access to port 9191 and the management interface path at the network perimeter.
Check whether CVE-2023-27350 exploitation indicators are present on the same host; both vulnerabilities were disclosed simultaneously and may be targeted together.
Alert on anomalous authentication patterns in PaperCut audit logs, including access events without corresponding login sequences.
Review downstream systems for unauthorized access using credentials that match PaperCut user accounts, particularly email and internal accounts.

Indicators of Compromise

Indicators consistent with CVE-2023-27351 exploitation include:

HTTP requests to PaperCut management endpoints from external IP addresses returning status 200 without a preceding valid authentication exchange.
Unexpected reads of user account data (user listings, email exports, card number lookups) in PaperCut audit logs.
Credential stuffing or login attempts against internal systems using email addresses or usernames harvested from PaperCut.
Exploitation indicators for CVE-2023-27350 on the same PaperCut host (both vulnerabilities were patched together in advisory PO-1216).

Disclosure Timeline

2023-04-19 — Vendor patch and advisory published

PaperCut published security advisory PO-1216 disclosing CVE-2023-27351 alongside the higher-severity CVE-2023-27350. Patches were released for PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, 22.0.9, and later.

2026-04-20 — CISA KEV listing

CISA added CVE-2023-27351 to the Known Exploited Vulnerabilities catalog as part of an eight-vulnerability batch, confirming continued exploitation of unpatched PaperCut deployments years after the original patch release. The required remediation deadline was May 4, 2026.

Sources & References

PaperCut: Security Advisory PO-1216 and PO-1219 — PaperCut, 2023-04-19
National Vulnerability Database: CVE-2023-27351 — National Vulnerability Database, 2023-04-19
CISA: Known Exploited Vulnerabilities Catalog — CVE-2023-27351 — CISA, 2026-04-20
The Hacker News: CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines — The Hacker News, 2026-04-20