PaperCut Software urges customers to update unpatched MF/NG servers against RCE exploits
Find more information on these vulnerabilities and how to upgrade on our Knowledge Base .
On 10 January 2023, we received two vulnerability reports from third-party cybersecurity company Trend Micro, reporting two critical RCE bugs impacting PaperCut MF and PaperCut NG. In coordination with Trend Micro, patches were released ahead of disclosure to give time for customers to update.
“We’ve had reports of customers being late to patch, and as a result their servers have been exposed for a number of weeks,” says Chris Dance, PaperCut CEO and founder. As of 18 April 2023, PaperCut Software has evidence to suggest that unpatched PaperCut MF and PaperCut NG servers are being exploited in the wild via these RCE vulnerabilities known as ZDI-CAN-18987 / PO-1216 (CVE-2023–27350) and ZDI-CAN-19226 / PO-1219 (CVE-2023–27351).
Both of these RCE exploits have been fixed since 8 March 2023. We patched each vulnerability in currently supported PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9. Previous versions are also vulnerable to these exploits. Please see our End-of-Life policy for information about older versions of PaperCut MF and PaperCut NG.
Our immediate advice is to upgrade your PaperCut Application Servers to one of the fixed Maintenance Releases listed above.
PaperCut CEO and founder Chris Dance has issued the following statement:
“It’s very important that customers upgrade their server. Particularly if the server is offered to end users via the internet. Or if they’re on a large open network such as a university campus.
“To make it easy for administrators, we’ve made sure that we’ve applied the patch to all currently supported versions of PaperCut. Meaning the change from the given version is as minimal as possible.
“We’d like to thank Trend Micro for responsibly disclosing this to us. We were able to get a patch to market, well ahead of it being published. Like most things in the security space, it’s important that all organizations keep our patches regularly up to date, so they minimize that window of exposure.
“We are mindful that this has an impact on our customers. PaperCut takes our customers’ security very seriously. We’re actively communicating this situation to customers directly and through our partner network. We will continue to support them where needed to ensure all organizations using PaperCut print management remain safe and secure.” - Chris Dance, PaperCut CEO & founder
Each RCE vulnerability has been fixed. We recommend that impacted organizations apply our security updates immediately.
Upgrade your PaperCut Application Servers to the applicable latest release of PaperCut MF and PaperCut NG, currently versions: 20.1.7, 21.2.11, and 22.0.9.