PaperCut Print Management Software Vulnerability (CVE-2023-27350 and CVE-2023-27351)
Dark Lab on Apr 27 2023
Share:
On 19th April 2023, PaperCut released a security advisory alerting customers of unpatched servers vulnerable to an unauthenticated RCE vulnerability (CVE-2023-27350) and authentication bypass vulnerability (CVE-2023-27351) being exploited in the wild.
On 24 April 2023, security researchers released a PoC writeup showcasing the ease of exploiting CVE-2023-27350. Suspected Russian-origin threat actors have been observed to exploit the PaperCut RCE vulnerability as researchers observe a PowerShell command to download and execute setup.msi, a legitimate installer for the Atera remote management and maintenance (RMM) software. This enabled the attacker to gain persistent remote access and RCE on the compromised device via the installed RMM.
We recommend impacted organisations to apply the patches immediately given the active exploitation and ability for malicious actors to obtain RCE capabilities via CVE-2023-27350. Further, given active exploitation by unknown threat actors, we recommend organisations deploying vulnerable versions of Papercut to perform threat hunting to identify anomalous activity or any indicators of compromise.
Vendor Advisory: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#zdi-can-19226-po-1219
PoC: https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py
Exploitation: https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
On 24 April 2023, security researchers released a PoC writeup showcasing the ease of exploiting CVE-2023-27350. Suspected Russian-origin threat actors have been observed to exploit the PaperCut RCE vulnerability as researchers observe a PowerShell command to download and execute setup.msi, a legitimate installer for the Atera remote management and maintenance (RMM) software. This enabled the attacker to gain persistent remote access and RCE on the compromised device via the installed RMM.
We recommend impacted organisations to apply the patches immediately given the active exploitation and ability for malicious actors to obtain RCE capabilities via CVE-2023-27350. Further, given active exploitation by unknown threat actors, we recommend organisations deploying vulnerable versions of Papercut to perform threat hunting to identify anomalous activity or any indicators of compromise.
Vendor Advisory: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#zdi-can-19226-po-1219
PoC: https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py
Exploitation: https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software