In April 2023, PaperCut disclosed CVE-2023-27350, a critical unauthenticated remote code execution vulnerability in PaperCut NG and PaperCut MF, their widely used print management solutions. Within days, the Cl0p ransomware gang and LockBit affiliates were exploiting it in the wild. An authentication bypass in the SetupCompleted class allowed attackers to access administrative functionality and execute arbitrary code through PaperCut's built-in scripting engine. The vulnerability scored a CVSS of 9.8, and for the thousands of organizations running PaperCut, the print server suddenly became the most dangerous machine on the network.
What PaperCut Does
PaperCut NG and MF are print management solutions used by over 100 million users across 70,000+ organizations globally. They manage print quotas, track printing costs, enforce print policies, and provide secure printing workflows. PaperCut is particularly prevalent in:
- Educational institutions (universities, schools, libraries)
- Healthcare organizations
- Government agencies
- Large enterprises managing distributed print fleets
The PaperCut server typically runs on Windows, connects to Active Directory for user authentication, and has network access to all managed printers. It's a centralized management point with elevated privileges.
The Vulnerability
CVE-2023-27350 is an authentication bypass in the PaperCut application server. The vulnerability exists in the SetupCompleted Java class, which controls access to the initial setup wizard. Due to improper access control, an unauthenticated attacker could navigate to the setup wizard even after the initial configuration was complete.
Through the setup wizard, the attacker could:
- Access the administration console without credentials
- Modify server settings
- Use the built-in scripting interface to execute arbitrary code
PaperCut includes a scripting engine that allows administrators to run scripts (JavaScript, Python, and other languages) for automation and customization. This is a legitimate feature — but when accessible to an unauthenticated attacker, it's a direct path to code execution.
The exploit was a simple sequence of HTTP requests. No buffer overflows, no memory corruption, no complex chaining. Just an access control flaw that exposed administrative functionality.
Rapid Weaponization
The timeline from disclosure to mass exploitation was alarmingly short:
March 2023: PaperCut releases patches (versions 20.1.7, 21.2.11, 22.0.9) that address the vulnerability.
April 19, 2023: PaperCut publishes a security advisory explicitly warning of active exploitation.
April 20-21, 2023: Multiple proof-of-concept exploits are published online.
April 21, 2023: Microsoft reports that Cl0p ransomware (tracked as Lace Tempest/DEV-0950) is actively exploiting CVE-2023-27350.
April 24, 2023: Microsoft reports LockBit affiliates are also exploiting the vulnerability.
April 25, 2023: CISA adds CVE-2023-27350 to its Known Exploited Vulnerabilities catalog.
Within a week of the advisory, two of the most prolific ransomware operations in the world had integrated the exploit into their toolkits.
The Cl0p Campaign
The Cl0p ransomware gang's exploitation of CVE-2023-27350 followed a pattern consistent with their previous campaigns (including the Accellion FTA and GoAnywhere MFT breaches):
- Initial access: Exploit CVE-2023-27350 to access the PaperCut administration console
- Code execution: Use the scripting engine to deploy a PowerShell-based downloader
- Malware deployment: Download and execute TrueBot malware, a loader associated with the Silence cybercrime group (which has close ties to Cl0p)
- Cobalt Strike deployment: TrueBot deploys Cobalt Strike beacons for command-and-control
- Data exfiltration: Using MegaSync and other tools, exfiltrate sensitive data
- Ransomware deployment: Deploy Cl0p ransomware across the network
The PaperCut server's Active Directory integration and privileged network access made it an ideal entry point. Credentials harvested from the PaperCut server could be used to move laterally to domain controllers and file servers.
The LockBit Angle
LockBit affiliates used a similar approach but with different post-exploitation tools:
- Access PaperCut via CVE-2023-27350
- Deploy PowerShell commands to download additional payloads
- Use PaperCut's network position to enumerate the internal network
- Deploy LockBit ransomware across accessible systems
The involvement of multiple ransomware groups highlighted the broad appeal of the vulnerability. PaperCut servers provided reliable initial access to enterprise networks with minimal effort.
Why Print Infrastructure Gets Overlooked
Print management servers occupy a blind spot in most organizations' security programs:
Not considered critical infrastructure: Security teams focus on email servers, web applications, databases, and endpoints. Print servers are treated as utility infrastructure — important for operations but not for security.
Wide network access: Print management servers need to communicate with printers, user workstations, and Active Directory. They typically have broad network access that isn't segmented or monitored.
Infrequent patching: Print infrastructure changes slowly. Once configured and working, print servers are often left untouched for months or years. Security patches are deprioritized because printing is seen as low-risk.
Internet exposure: Some organizations expose PaperCut's web interface to the internet for remote access or mobile printing. Even when not intentionally exposed, misconfigurations can make it accessible.
Lessons Learned
1. Every Server Is a Potential Entry Point
PaperCut servers are not traditionally considered high-value targets, but their network position, Active Directory integration, and administrative credentials make them powerful pivot points. Security programs need to cover all servers, not just the ones that handle obviously sensitive data.
2. Built-In Scripting Is a Security Risk
Administrative scripting engines are powerful features that also represent significant attack surface. When an authentication bypass exposes a scripting engine, it's game over. Organizations should evaluate whether built-in scripting capabilities are necessary and restrict them when possible.
3. Patch Print Infrastructure Like Production
Print management servers should be included in the same patch management processes as other production servers. The March 2023 patch was available for a month before the active exploitation was disclosed in April. Organizations that patched promptly were protected.
4. Monitor and Segment Print Networks
Print management servers should be segmented from sensitive network segments. Their communication patterns are predictable (talking to printers, AD, and client workstations), so anomalous connections are detectable. Outbound internet access from a print server should be blocked or heavily restricted.
How Safeguard.sh Helps
Safeguard.sh addresses the blind spots in infrastructure security that CVE-2023-27350 exploited:
- Complete Infrastructure Visibility: Safeguard.sh inventories all software across your environment, including print management servers and other utility infrastructure that security teams often overlook.
- Vulnerability Prioritization: Safeguard.sh factors in real-world exploitation data when prioritizing vulnerabilities, ensuring that actively exploited CVEs like CVE-2023-27350 are flagged as urgent regardless of the software category.
- Ransomware Risk Assessment: By identifying vulnerable internet-facing services and systems with broad network access, Safeguard.sh highlights potential ransomware entry points before they're exploited.
- Patch Compliance Tracking: Safeguard.sh monitors patch status across your entire infrastructure, including overlooked systems like print servers, ensuring nothing falls through the cracks.
CVE-2023-27350 proved that ransomware groups will exploit whatever entry point is available, regardless of how mundane it seems. Safeguard.sh ensures no system in your environment is invisible to your security program.