Sign In with your
Trend Micro Account

若您需要技術支援,請 按此建立案件。

SECURITY ALERT: PaperCut MF/NG Active Attack Campaign (CVE-2023-27350)

    • 更新於:
    • 27 Apr 2023
    • 產品/版本:
    • 作業系統:
Updated: April 27, 2023 @ 7:30AM (US Pacific) - added blog link

In Mid-March 2023, PaperCut, a popular print management software solution, publicly disclosed a couple of vulnerabilities CVE-2023-27350 and CVE-2023-27351) that were reported to them through Trend Micro's Zero Day Initiative (ZDI).  

However, in the middle of April, it was observed that one of the vulnerabilities, CVE-2023-27350 (CVSS 9.8) was apparently being abused in the wild (ITW).  This vulnerability is an improper access control authentication bypass which does not require authentication and can lead to an attacker obtaining Remote Code Execution (RCE) on an affected PaperCut Application Server. 

The ZDI disclosure on CVE-2023-27350 can be found at: and Trend Micro Research has written a comprehensive blog on the threat here: Update Now: PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation.

Trend Micro Protection and Detection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor's patches when they become available. PaperCut has released new versions of PaperCut MF and PaperCut MG - 20.1.7, 21.2.11, and 22.0.9 - that resolve the issues.

As an original submission of the vulnerability was through the Trend Micro Zero Day Initiative, based on our analysis, Trend Micro has some rules and filters that can help provide against potential exploitation of this vulnerability.

Trend Micro Cloud One - Network Security & TippingPoint Protection Filters

  • 42626: HTTP: PaperCut NG SetupCompleted Authentication Bypass Vulnerability (ZDI-23-233)
  • 42258: HTTP: PaperCut NG SecurityRequestFilter Authentication Bypass Vulnerability (ZDI-23-232)

Trend Micro Cloud One - Workload Security & Deep Security IPS Rules

  • 1011731 - PaperCut NG Authentication Bypass Vulnerability (CVE-2023-27350)
  • 1011732 - PaperCut NG Authentication Bypass Vulnerability (CVE-2023-27351)

Trend Micro Deep Discovery Inspector (DDI) Rules

  • Rule 4835: CVE-2023-27350 - PaperCut MF/NG Authentication Bypass Exploit - HTTP (REQUEST)
  • Rule 4836: CVE-2023-27351 - PaperCut MF/NG Authentication Bypass Exploit - HTTP (REQUEST)

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)

Trend Micro threat hunters have observed potential ransomware drops as part of ongoing campaigns.  Observed ransomware detections include:
  • Ransom.Win32.LOCKBIT.SMYXCJN

Trend Micro is continuing to monitor and research this ongoing campaign and will update this article as more information becomes available.


Remove a Malware / Virus



若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.