CVE-2023-27351: PaperCut NG/MF Auth Bypass

A flaw in PaperCut's SecurityRequestFilter class lets unauthenticated attackers bypass the login check on the management interface — extracting usernames, email addresses, payment card data and hashed passwords from the print management server. Three years after disclosure it's finally in CISA KEV, driven by a fresh wave of in-the-wild exploitation.

Overview

PaperCut NG/MF is one of the most widely deployed print management platforms in enterprise, education and government. It sits in a privileged position within networks — brokering print jobs from user workstations, integrating with Active Directory for authentication, and often storing payment card data for billed printing environments. That makes it a high-value target.

CVE-2023-27351 is an authentication bypass in the SecurityRequestFilter class — the servlet filter responsible for enforcing authentication on management endpoints. The flaw lets a completely unauthenticated attacker retrieve user account information (usernames, full names, email addresses, office and department information, stored payment card numbers) and, critically, the hashed passwords of internal PaperCut-created accounts.

The vulnerability was originally disclosed alongside its more famous sibling CVE-2023-27350 (the RCE that saw mass exploitation by Cl0p and other ransomware groups in April 2023). CVE-2023-27351 was comparatively overlooked — until it was added to CISA KEV on 20 April 2026, following renewed in-the-wild exploitation against organisations that patched the RCE but never got around to the information-disclosure bug.

PaperCut's 2023 advisories have aged badly. Three years on, a meaningful fraction of deployments remain on pre-fix versions — and the combination of leaked credentials from CVE-2023-27351 with every post-2023 authenticated RCE in PaperCut's stack gives an attacker a viable path to fully authenticated remote code execution on unpatched instances.

Root Cause: SecurityRequestFilter Logic Error

PaperCut's web interface uses a standard Java servlet filter chain. The SecurityRequestFilter class is supposed to inspect every incoming request and enforce authentication on protected endpoints before the request reaches the application handler.

The original ZDI advisory describes the flaw as "improper implementation of the authentication algorithm". In practice, the filter contains logic that decides whether the current request is already authenticated based on session-state attributes — but the check can be satisfied by request properties an unauthenticated attacker controls. Specifically, the filter inspects the session's User-Agent and other client-supplied headers as part of its session-state evaluation, and certain values cause the filter to treat the session as already authenticated and short-circuit the authentication check.

The net effect is that sending an HTTP request with the right set of headers to the management interface bypasses the login wall entirely — granting access to internal API endpoints that return user account records.

What the Bypass Grants

Unlike CVE-2023-27350 (which gave full unauthenticated RCE via the SetupCompleted flow), CVE-2023-27351 is an information-disclosure bug. But the data it exposes is substantial:

User directory — usernames, full names, email addresses, office and department mappings. Effectively a pre-built target list for credential-stuffing, phishing, and social engineering campaigns.
Payment card data — in deployments that use PaperCut's billed-printing features, stored card data associated with user accounts.
Hashed passwords — for internal PaperCut-created user accounts (not AD-integrated users). These are bcrypt hashes; cracking viability depends on the password strength, but any weak passwords fall to modern cracking hardware in hours.

Chaining Into RCE

The information-disclosure bug is more dangerous than its CVSS 8.2 rating suggests because of how PaperCut is typically deployed. Internal PaperCut accounts are commonly used for service integrations and administrative access. If the disclosed hash list contains even one crackable admin-level account password, the attacker can chain:

Exploit CVE-2023-27351 → obtain bcrypt hashes of internal accounts.
Crack hashes offline with hashcat (-m 3200) against rockyou/wordlists.
Log in as the admin user via the normal web UI.
Abuse any post-authentication RCE primitive — PaperCut has several in its scripting engine, printer script hooks, and custom report generation features.

This chain is the operational reality behind the renewed exploitation that prompted CISA to add the bug to KEV three years after disclosure. Organisations that patched the original 2023 RCE but left internal accounts with weak passwords on unpatched PaperCut versions are still vulnerable to a full compromise path.

Proof of Concept

A minimal reproducer targets the app endpoint with the specific request shape that triggers the filter's short-circuit:

# Example request — exact header combination is version-dependent
curl -sk "https://papercut.target.corp:9192/app?service=page/UserList" \
  -H "User-Agent: <specific-bypass-value>" \
  -H "X-Forwarded-For: 127.0.0.1" \
  -b "JSESSIONID=forged-or-empty"

# Response contains user records in HTML/JSON including account fields
# and, where applicable, stored hash values for internal accounts

Public exploit tooling (including modules in Metasploit and standalone scripts on GitHub) encapsulates the exact header combination and handles the response parsing.

Affected Versions

All PaperCut NG and PaperCut MF versions prior to the following patch releases are vulnerable:

PaperCut NG/MF 20.1.7 (20.x branch)
PaperCut NG/MF 21.2.11 (21.x branch)
PaperCut NG/MF 22.0.9 (22.x branch)
Any version from the 23.x / 24.x / 25.x lines that incorporates the patched SecurityRequestFilter.

Remediation

Upgrade to the latest supported PaperCut NG/MF version. If you're running any release prior to the fix levels above, you are vulnerable.
Remove the PaperCut management interface from the public internet. There is no business reason for ports 9191/9192 to be reachable from arbitrary IPs. Place behind VPN or IP allowlisting.
Force password resets for all internal PaperCut accounts — assume any hash that was reachable via CVE-2023-27351 has been extracted and cracked.
Audit access logs on the PaperCut server from 2023 onwards for anomalous requests to /app endpoints — particularly requests to endpoints that return user data without a valid authenticated session.
For billed-printing deployments, review stored cardholder data exposure against PCI DSS requirements and notify card brands if a compromise window is identified.

Detection

Authentication-free access to the /app endpoint returning user-list or account-detail pages — particularly when the source IP does not correspond to a known print client.
Unusual User-Agent strings on the management interface — the bypass requires a specific header shape that differs from legitimate browsers or print clients.
Requests to the PaperCut management port (9191/9192) from external IP addresses — under normal operation these should be internal-only.
Outbound HTTP requests from the PaperCut server to external hosts immediately following an unauthenticated management access — a signal that an attacker has moved from information disclosure into the chained RCE path.