PaperCut, a print management software, recently rectified a critical security vulnerability within its NG/MF version, addressing the threat of unauthenticated attackers executing remote code on unpatched Windows servers.
Termed CVE-2023-39143, this vulnerability stems from a sequence of two path traversal weaknesses uncovered by Horizon3 security researchers, granting malicious actors the ability to access, delete, and upload arbitrary files on compromised systems via low-complexity attacks that evade user interaction.
Although the flaw primarily affects servers with non-default configurations enabling external device integration, Horizon3 noted that a significant portion of Windows PaperCut servers have this setting activated.
A distinctive command, using the ‘curl’ utility, can determine if a server is susceptible to CVE-2023-39143 attacks and is operating on Windows, with a response code indicating the necessity for patching.
While a Shodan search reveals approximately 1,800 PaperCut servers exposed online, not all are vulnerable to this specific attack. Past incidents highlight the attractiveness of PaperCut servers to malicious actors, as the software was previously exploited by ransomware gangs, including Clop, LockBit, Muddywater, and APT35, targeting unauthenticated RCE vulnerabilities and information disclosure flaws.
Microsoft and security experts emphasize the importance of timely updates and robust security measures to safeguard systems against these evolving threats.