www.belgium.be Logo of the federal government

WARNING: Ransomware actors are actively exploiting a critical Remote Code Execution vulnerability in PaperCut Print software, Patch Immediately!

Reference: 
Advisory #2023-50
Version: 
1.0
Affected software: 
PaperCut MF or NG version 8.0 or later:
version 8.0.0 to 19.2.7 (inclusive)
version 20.0.0 to 20.1.6 (inclusive)
version 21.0.0 to 21.2.10 (inclusive)
version 22.0.0 to 22.0.8 (inclusive)
Type: 
Remote Code Execution
CVE/CVSS: 

CVE-2023-27350 CVSS:9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

Risks

Papercut has released security updates for a critical remote code execution (RCE) vulnerability, CVE-2023-27350, affecting PaperCut MF or NG.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain execute remote code execution on a vulnerable PaperCut Application Server.

A Successful attack has a high impact on all vertices of the CIA triad impacting Confidentiality, Integrity, and availability.

Threat actors are actively exploiting CVE-2023-27350 in order to deploy Clop and LockBit ransomware.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.

Description

PaperCut is print management software used by organizations that help to make the task of printing easier and more secure.

PaperCut produces printing management software for Canon, Epson, Xerox, and almost every other major printer brand. Its tools are used by more than 70,000 organizations, including government agencies, universities, and large companies around the world.

A remote attacker can bypass authentication and execute arbitrary code on vulnerable PaperCut MF/NG infrastructure.

Recommended Actions

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident

References

https://www.bleepingcomputer.com/news/security/microsoft-clop-and-lockbit-ransomware-behind-papercut-server-hacks/ https://therecord.media/hackers-use-papercut-vulnerabilities-to-deploy-clop-ransomware https://duo.com/decipher/papercut-flaws-exploited-to-deploy-clop-lockbit-ransomware