CVE-2023-27351
Summary
| CVE | CVE-2023-27351 |
|---|---|
| State | PUBLISHED |
| Assigner | zdi |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-04-20 16:15:07 UTC |
| Updated | 2026-04-21 12:48:26 UTC |
| Description | This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.832840000 probability, percentile 0.992850000 (date 2026-05-29)
CISA KEV: Listed on 2026-04-20; due 2026-05-04; ransomware use Known
Problem Types: CWE-287 | CWE-287 CWE-287: Improper Authentication
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.0 | [email protected] | Secondary | 8.2 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
| 3.0 | CNA | DECLARED | 8.2 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
LowAvailability
NoneCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA Known Exploited Vulnerability
| Vendor | PaperCut |
|---|---|
| Product | NG/MF |
| Name | PaperCut NG/MF Improper Authentication Vulnerability |
| Required Action | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
| Notes | https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 ; https://nvd.nist.gov/vuln/detail/CVE-2023-27351 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Papercut | Papercut Mf | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | US Government Resource |
| APRIL 19 UPDATE | PaperCut MF/NG vulnerability bulletin (March 2023) | PaperCut | af854a3a-2127-422b-91ae-364da2661108 | www.papercut.com | Vendor Advisory |
| ZDI-23-232 | Zero Day Initiative | af854a3a-2127-422b-91ae-364da2661108 | www.zerodayinitiative.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
Vendor Comments And Credit
Discovery Credit
CNA: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-04-20T00:00:00.000Z | CVE-2023-27351 added to CISA KEV |