Axon Rapid Response -Critical RCE Vulnerability in PaperCut Servers
Incident Report for Rapid Response Status Page
Resolved
Following recently reported active exploitations of a critical RCE vulnerability in PaperCut servers (CVE-2023-27350), team Axon evaluated potential exploitations’ risk and possible impact.

This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF, enabling an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023. Affected installations of PaperCut:
- Version 8.0.0 to 19.2.7
- Version 20.0.0 to 20.1.6
- Version 21.0.0 to 21.2.10
- Version 22.0.0 to 22.0.8

Organizations having PaperCut in use in their enterprise network environment are advised to patch the application to the latest released, as also advised by the FBI, CISA and PaperCut security advisories.
The team performs threat hunting over Axon customers’ environments to detect activity associated with this attack, and affected customers have been informed.

For your usage, a threat-hunting query is available for your own usage that allows finding suspicious related activities that are spawned from running PaperCut programs.
https://github.com/axon-git/rapid-response/blob/main/CVE-2023-27350/threat_hunting_query_papercut_suspicious_child_process.sql

As always, you are welcome to contact the team for any further questions.
Team Axon
Posted May 16, 2023 - 16:13 UTC
This incident affected: Rapid Response.