PaperCut, the print management software provider, has confirmed that it is aware of ongoing active exploitation of the CVE-2023-27350 vulnerability. The company has received two vulnerability reports from cybersecurity firm Trend Micro, reporting high/critical severity security issues in PaperCut MF/NG.
The company addressed both vulnerabilities with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and recommends upgrading to one of these versions containing the fix. PaperCut has received reports from customers regarding suspicious activities on their servers and suggests that unpatched servers are being exploited in the wild.
Huntress researchers have observed post-exploitation activities within their partner environments after attackers exploited the above PaperCut MF/NG vulnerabilities. Caleb Stewart, a Huntress security researcher, has created a proof-of-concept exploit for these threats.
The CVE-2023-27350 vulnerability is a PaperCut MF/NG Improper Access Control Vulnerability. PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of the system. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities Catalog.
Huntress researchers have also noted that the domain hosting the tools employed in the attack, windowservicecemter[.]com, was registered on April 12, 2023, and has been linked to the TrueBot malware. The ultimate goal of the current activity leveraging PaperCut’s software is unknown, and links to a known ransomware entity are concerning.
In conclusion, the ongoing active exploitation of the CVE-2023-27350 vulnerability in PaperCut MF/NG by threat actors has raised concerns. The vulnerability allows an attacker to bypass authentication and execute code in the context of the system.
While PaperCut has released updated versions of its software to fix the vulnerability, the risk of exploitation is still high for those who have not upgraded. Huntress researchers have also observed post-exploitation activities within its partner environments and have linked the domain hosting the attack tools to the TrueBot malware.
The ultimate goal of the current activity leveraging PaperCut’s software is unknown, but it could potentially be used as a foothold leading to follow-on movement within the victim network, and ultimately, ransomware deployment.
