[CDP-development] TLP: GREEN (Vulnerability Alert Notification) CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability

Mon Apr 20 15:00:52 PDT 2026

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability. Due to its high visibility, we are providing this in-depth information.

History: On March 8, 2023, PaperCut publicly acknowledged an authentication bypass vulnerability found in the SecurityRequestFilter class of PaperCut MF and NG. The vulnerability is currently assigned a CVSSv3 score of 7.5 (High) by NVD.

Major Version
Affected Version Range
Fixed Version
PaperCut 22.x
22.0.0 to 22.0.8
22.0.9 and later
PaperCut 21.x
21.0.0 to 21.2.10
21.2.11 and later
PaperCut 20.x
20.0.0 to 20.1.6
20.1.7 and later
PaperCut 19.x and older
15.0.0 to 19.2.6
End of Life (Upgrade to 20.1.7+)

For more information on this vulnerability, see the following links:

  *   https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
  *   https://www.zerodayinitiative.com/advisories/ZDI-23-232/

Intelligence: As of April 20, 2026, CISA has confirmed the vulnerability as being exploited in the wild and has added the vulnerability to the Known Exploited Vulnerabilities Catalog.

Exploitability: Network exploitability
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes (Primarily via the Web Management Interface/Application Server).
Proof of Concept: Yes
Zero Day: Yes (Confirmed exploitation occurred prior to public awareness/patching for legacy systems)
Workarounds: There are no workarounds.

How it works: The flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system.

Post-Exploit: Upon successful exploitation of the vulnerability, typically results in an unauthenticated "Information Disclosure" or a complete "Authentication Bypass. Because this vulnerability is almost always paired with its sister flaw (CVE-2023-27350), the "end-state" for an attacker is often full administrative control.

Tenable Plugins:
Plugin
Title
Severity
Platform
175674<https://www.tenable.com/plugins/nessus/175674>
PaperCut NG SecurityRequestFilter Authentication Bypass (CVE-2023-27351)
High
Nessus
176401<https://www.tenable.com/plugins/nessus/176401>
PaperCut MF SecurityRequestFilter Authentication Bypass (CVE-2023-27351)
High
Nessus

Recommended Actions:
Date Added: 2026-04-20
Due Date: 2026-05-04

  *   Deploy WAF rules to filter for malicious request patterns.
  *   Block inbound traffic to TCP ports 9191 and 9192.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image005.png at 01DCD0D4.D5418F80] [cid:image004.png at 01DCD0D4.D5418F80]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260420/c28590e3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 32625 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260420/c28590e3/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 280765 bytes
Desc: image005.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260420/c28590e3/attachment-0003.png>