PaperCut MF/NG Authentication Bypass to Remote Code Execution (CVE-2023-27350)
Overview
PaperCut MF/NG Authentication Bypass to Remote Code Execution, tracked as CVE-2023-27350, affects PaperCut print management servers where improper access control can let a remote attacker bypass authentication and execute code. Because PaperCut is often deployed as internal infrastructure with broad network access, compromise of the application can quickly become a broader operational security issue.
Vulnerability Overview
CVE-2023-27350 is an improper access control vulnerability in PaperCut MF and PaperCut NG. The flaw exists in the setup completion handling path and allows remote attackers to bypass authentication on affected installations.
After authentication is bypassed, an attacker can reach administrative functionality and execute arbitrary code in the context of the PaperCut service. On Windows deployments, the disclosed impact includes code execution in the context of SYSTEM.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can allow unauthenticated remote code execution, full application compromise, and access to sensitive print management infrastructure.
CVE-2023-27350 was added to the CISA Known Exploited Vulnerabilities catalog shortly after disclosure, which reflects active exploitation in real-world environments.
Vulnerability Scope
NVD identifies affected PaperCut MF and NG ranges as versions 8.0 through before 20.1.7, 21.0.0 through before 21.2.11, and 22.0.0 through before 22.0.9. The vulnerability also appears in Zero Day Initiative tracking as ZDI-CAN-18987.
The highest-risk deployments are PaperCut servers with administrative web interfaces reachable from untrusted networks and versions below the fixed release levels.
Lab Focus
This Hackviser lab focuses on understanding how authentication bypass in an administrative application can become remote code execution. You will practice identifying vulnerable PaperCut MF/NG versions, understanding the access-control failure, and mapping the CVE impact to defensive priorities for internal infrastructure.