PaperCut NG, Authentication Bypass, CVE-2023-27350 (High)

Listen to this Post

How the mentioned CVE works (technical details):

CVE-2023-27350 is an authentication bypass vulnerability in PaperCut NG prior to version 22.0.8. The flaw resides in the `SecurityRequestFilter` class, which mishandles the authentication algorithm. Specifically, when a request is made to the internal `PaperCut NG` web interface, the filter fails to validate the session token properly if a crafted setup-related path is used. Attackers can send an HTTP request with a manipulated `Referer` header or a specially crafted `Host` attribute that tricks the filter into believing the request originates from a trusted local address. This bypasses the login check and grants unauthorized access to the admin console. The vulnerability is exploitable over the network without any authentication, as no user interaction is required. The root cause is improper enforcement of the `isAuthenticated()` method logic, which can be forced to return `true` under specific conditions. Successful exploitation allows an attacker to execute arbitrary code with system privileges, as the admin interface provides file upload and command execution capabilities. The ZDI advisory (ZDI-CAN-19226) confirmed the issue in build 63914. PaperCut released patches in version 22.0.8 and later.

dailycve form:

Platform: PaperCut NG
Version: 22.0.5 (63914)
Vulnerability: Authentication Bypass
Severity: High
Date: 2026-04-20

Prediction: March 2023

What Undercode Say:

Check vulnerable PaperCut version
curl -k -I https://target:9191/admin
Test authentication bypass with crafted path
curl -k "https://target:9191/app?service=page/Dashboard" -H "Referer: http://localhost"
Enumerate internal endpoints after bypass
curl -k "https://target:9191/api/status" -H "X-Forwarded-For: 127.0.0.1"

Exploit:

Send unauthenticated POST to `/app?service=page/SetupComplete` with Host: localhost. The filter trusts localhost, grants admin session. Then upload malicious JSP via `AllowedJSPs` parameter. Execute system commands through /app?service=page/PrintScript.

Protection from this CVE

Upgrade to PaperCut NG 22.0.8 or later. If patching impossible, apply ZDI workaround: block external access to ports 9191 (admin) and 9192 (secure admin) via firewall. Use reverse proxy to filter `Host` headers and reject requests with internal hostnames from external sources.

Impact:

Complete admin account takeover. Remote attackers can modify print quotas, install malware, exfiltrate documents, pivot to domain controllers (PaperCut often runs with high privileges), and disrupt printing services across the organization. CVSS 8.2 (High) reflects high confidentiality impact, low integrity, no availability loss.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top