CVE-2023-27350

nvd nist nuclei

Published: Apr 20, 2023Modified: Oct 27, 2025CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

Affected (6)

Products: Papercut: Papercut Mf, Papercut Ng

2 products

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Papercut Papercut Mf	From 21.0.0 to 21.2.11
Papercut Papercut Mf	From 22.0.0 to 22.0.9
Papercut Papercut Mf	From 8.0 to 20.1.7
Papercut Papercut Ng	From 21.0.0 to 21.2.11
Papercut Papercut Ng	From 22.0.0 to 22.0.9
Papercut Papercut Ng	From 8.0 to 20.1.7

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (15)

http://packetstormsecurity.com/files/171982/PaperCut-MF-NG-Authentication-Bypass-Remote-Code-Execution.html

Source: zdi-disclosures@trendmicro.com

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/172022/PaperCut-NG-MG-22.0.4-Authentication-Bypass.html

Source: zdi-disclosures@trendmicro.com

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/172512/PaperCut-NG-MG-22.0.4-Remote-Code-Execution.html

Source: zdi-disclosures@trendmicro.com

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/172780/PaperCut-PaperCutNG-Authentication-Bypass.html

Source: zdi-disclosures@trendmicro.com

ExploitThird Party AdvisoryVDB Entry

https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/

Source: zdi-disclosures@trendmicro.com

Third Party Advisory

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

Source: zdi-disclosures@trendmicro.com

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-23-233/

Source: zdi-disclosures@trendmicro.com

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/171982/PaperCut-MF-NG-Authentication-Bypass-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/172022/PaperCut-NG-MG-22.0.4-Authentication-Bypass.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/172512/PaperCut-NG-MG-22.0.4-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/172780/PaperCut-PaperCutNG-Authentication-Bypass.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-23-233/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27350

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.