Two vulnerability reports were recently made public regarding high/critical severity security issues in PaperCut MF/NG. (Latest update May 9th)
It has been observed that multiple threat actors including nation states are exploiting unpatched servers in the wild.
While initial attacks were targeting critical infrastructure (primarily in the US), current threat actor activity appears to be more opportunistic, affecting organisations across various sectors and geographies. We are aware that this has become a particular threat to the Education sector here in the UK.
The first vulnerability is a ‘Remote Code Execution vulnerability’.
This allows an unauthenticated attacker to get remote code execution on a PaperCut Application Server. This could be done remotely and without the need to log in.
The second vulnerability is a ‘User account data vulnerability’.
This allows an unauthenticated attacker to potentially pull information about a user stored within PaperCut MF or NG – including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut-created users only (note that this does not include any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in
As more threat actors begin to exploit these vulnerabilities in their attacks, organisations are strongly urged to prioritise applying the updates provided by PaperCut to reduce their attack surface: