Authentication Bypass in PaperCut NG/MF (CVE-2023-27351)
PaperCut NG/MF, a print management product, contains a flaw that may allow authentication (the identity-verification step) to be bypassed, potentially letting an attacker reach administrative functions without a valid login.
Key facts
- CVE IDCVE-2023-27351
- CVSS base score7.5 HIGH
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Affected (vendor / product)PaperCut NG/MF
- CWECWE-287
- ExploitationListed in CISA KEV (exploitation confirmed); also confirmed used in ransomware
- Remediation due2026-05-04 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Affects PaperCut NG/MF print management software through an improper authentication flaw that may allow the identity check to be bypassed.
- The KEV record states authentication may be bypassed via the SecurityRequestFilter class, potentially leading to unauthorized access to administrative functions.
- Listed by CISA in its Known Exploited Vulnerabilities (KEV) catalog (added 2026-04-20, remediation due 2026-05-04).
- Exploitation by ransomware is confirmed, and the widely deployed management server is a likely target as an initial foothold.
- Official NVD severity is CVSS 7.5 (HIGH); remediation is to apply vendor mitigations, follow BOD 22-01, or discontinue use if mitigation is not possible.
Authentication is the process of confirming that a user is who they claim to be, so that only authorized people can operate a system. This issue is classified as improper authentication, meaning that check is not carried out properly and can be bypassed. According to the KEV record, affected installations may have authentication bypassed via the SecurityRequestFilter class. The heart of the problem is that a widely deployed management server could be operated without going through a valid login.
PaperCut NG/MF handles print accounting, billing, and usage control, giving it an important position inside an organization's network. CISA has listed this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog and further notes that exploitation by ransomware (an attack that encrypts data and demands a ransom) has been confirmed. A management server running across many organizations is a classic target used as an initial foothold for intrusion.
The official NVD severity rating is a CVSS base score of 7.5 (HIGH, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). For remediation, CISA directs organizations to apply mitigations per vendor instructions, follow the U.S. federal directive BOD 22-01, and discontinue use of the product if mitigations are not available. The KEV-added date is 2026-04-20 and the remediation due date is 2026-05-04.
Why it matters
Print management servers sit inside an organization's network and connect to many users and devices, so a successful authentication bypass could allow unauthorized access to administrative functions. Because exploitation by ransomware has been confirmed, there is a recognized risk of the flaw being used as an initial foothold for intrusion. CISA has set a remediation due date of 2026-05-04, indicating a high priority for response.
FAQ
What is PaperCut NG/MF?
How severe is this vulnerability?
What does CISA require organizations to do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).