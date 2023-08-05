PaperCut has recently addressed a critical security vulnerability in its NG/MF print management software. This flaw, identified as CVE-2023-39143, allows unauthenticated attackers to execute remote code on unpatched Windows servers. The vulnerability stems from two path traversal weaknesses discovered by Horizon3 security researchers, enabling threat actors to manipulate files on compromised systems without user interaction.

Although the vulnerability only affects servers in non-default configurations where the external device integration setting is enabled, a report by Horizon3 suggests that most Windows PaperCut servers have this setting turned on. This default configuration makes these servers susceptible to attacks exploiting CVE-2023-39143.

To check if a server is vulnerable, admins can use the following command on Windows:

“`

curl -w “%{http_code}” -k –path-as-is “https://:/custom-report-example/……deploymentsharpiconshome-app.png”

“`

While immediate installation of security updates is recommended, Horizon3 provides instructions for admins who are unable to do so immediately. In the meantime, admins can restrict access by allowing only specific IP addresses.

According to Shodan search results, around 1,800 PaperCut servers are exposed online, but not all of them are vulnerable to the CVE-2023-39143 attacks.

Earlier this year, PaperCut servers were targeted by ransomware gangs, exploiting another critical vulnerability (CVE-2023-27350) and a high-severity information disclosure flaw (CVE-2023-27351). The company issued a warning and urged admins to upgrade their servers promptly.

Exploitation of these vulnerabilities led to data theft, with ransomware operations leveraging the ‘Print Archiving’ feature of PaperCut servers to access and steal corporate data. Microsoft identified the Clop and LockBit ransomware groups as responsible for these attacks.

Subsequently, Iranian state-backed hacking groups, Muddywater and APT35, also joined the campaign against PaperCut servers. As a result, CISA listed the CVE-2023-27350 vulnerability as actively exploited and ordered U.S. federal agencies to secure their servers by May 12th, 2023.