Print management software is not the first place most teams look for a critical vulnerability, which is part of why CVE-2023-27350 was so effective. It is an authentication bypass in PaperCut MF and NG, deployed across universities, hospitals, and enterprises worldwide, and it lets an unauthenticated attacker log in as administrator and run code on the server. The NVD rates it CVSS 3.1 9.8 (Critical), and by mid-2023 it was being used to deliver ransomware.
ID and severity
CVE-2023-27350 is an improper access control flaw in the PaperCut MF and NG application server. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H: reachable over the network, trivial to exploit, and requiring no authentication or interaction while fully compromising the host. A companion flaw, CVE-2023-27351, is an information disclosure issue in the same product. The access-control bypass is the dangerous one because it opens the door to code execution.
Timeline and impact
Trend Micro's Zero Day Initiative reported the vulnerability to PaperCut on January 10, 2023. PaperCut released fixed builds on March 8, 2023. Exploitation in the wild began roughly a month later; PaperCut's own investigation placed the earliest suspicious activity around April 14, 2023. CISA added CVE-2023-27350 to its Known Exploited Vulnerabilities catalog on April 21, 2023.
In early May 2023, CISA and the FBI published joint advisory AA23-131A describing a group calling itself the Bl00dy Ransomware Gang exploiting vulnerable PaperCut servers against the education sector. Other operators, including actors associated with Cl0p and LockBit, were also observed leveraging PaperCut for initial access. Because print servers frequently sit inside trusted network zones with broad internal reach, a compromised PaperCut host is an excellent pivot point.
Root cause
The bypass lives in the PaperCut setup wizard. The application uses a server-side component that tracks whether initial setup has completed, backed by a class the reporting researchers referenced as SetupCompleted. Certain administrative pages, including the setup flow, did not properly enforce that the user was authenticated before granting access.
By navigating directly to the setup-completed page, an attacker could obtain an authenticated administrative session without ever supplying valid credentials. Once inside the admin console, code execution follows from a legitimate feature: PaperCut supports server-side "print scripts" and user or group synchronization hooks that run custom commands. An attacker with admin rights simply enables scripting and defines a script (or points a sync hook at a command interpreter) that executes the payload of their choice. The illustration in one line: reach the admin console without a password, then abuse a built-in scripting feature to run operating-system commands.
This is the recurring shape of appliance and application compromises: a missing authorization check upstream, followed by a powerful post-authentication feature that was never meant to be reachable by an anonymous attacker.
Detection
- Inventory PaperCut MF and NG application servers and site servers, and record exact versions. Version 8.0 and later are affected until patched.
- Determine which servers are reachable from untrusted networks. Internet-exposed print servers are the highest priority.
- Review the PaperCut server logs and admin audit trail for unexpected logins, newly enabled scripting, or modified user or group sync settings around and after April 2023.
- Look for child processes spawned by the PaperCut service, unexpected outbound connections, and dropped files consistent with the AA23-131A indicators.
Remediation and patched versions
Upgrade to a fixed PaperCut release: MF and NG versions 20.1.7, 21.2.11, or 22.0.9 and later resolve both CVE-2023-27350 and CVE-2023-27351. This is the authoritative fix.
If you cannot patch immediately, PaperCut published interim mitigations:
- Restrict inbound access to the web management port so only trusted hosts can reach it.
- Apply an "allowed device or network" configuration to block connections from unknown addresses.
- Never expose the PaperCut admin interface to the public internet.
After patching, treat any previously exposed server as potentially compromised and investigate before trusting it again.
How Safeguard helps
PaperCut is packaged software running on servers you control, so keeping an accurate inventory of what version is deployed where is the whole game. Safeguard's software composition analysis tracks the components in your build and deployment artifacts and correlates them against CISA KEV so a known-exploited flaw like CVE-2023-27350 is ranked at the top rather than buried. The Safeguard CLI lets you gate CI/CD pipelines on those findings, blocking a release that carries a component on the KEV list. When an advisory breaks, Griffin AI summarizes the exposure, the affected versions, and the fix path in plain language so responders lose less time reading advisories. Teams sizing this up for their estate can review options on the pricing page.
Knowing which build you run, the day the advisory drops, is what turns a fire drill into a routine upgrade. Get started free or read the documentation.
Frequently Asked Questions
What is CVE-2023-27350?
It is an improper access control (authentication bypass) vulnerability in PaperCut MF and NG that lets an unauthenticated attacker reach the administrative console and then achieve remote code execution through PaperCut's built-in scripting features. It is rated CVSS 9.8 (Critical).
Which PaperCut versions are affected and which are patched?
PaperCut MF and NG version 8.0 and later are affected. The vulnerability is fixed in versions 20.1.7, 21.2.11, and 22.0.9 and later, which also address the related information disclosure flaw CVE-2023-27351.
Was CVE-2023-27350 used in ransomware attacks?
Yes. CISA and the FBI documented the Bl00dy Ransomware Gang exploiting PaperCut against the education sector in a May 2023 joint advisory, and actors linked to Cl0p and LockBit also leveraged it. It was added to the CISA Known Exploited Vulnerabilities catalog on April 21, 2023.
How can I mitigate if I cannot patch right away?
Restrict access to the PaperCut web management interface so only trusted hosts and networks can reach it, apply PaperCut's allowed-network configuration, and ensure the admin interface is never exposed to the internet. These reduce exposure, but upgrading to a patched release is the only complete remediation.