- 20/04/2023 --- v1.0 -- Initial publication
A new security advisory has been issued concerning two critical vulnerabilities in PaperCut MF/NG, which are actively being exploited in the wild. The vulnerabilities allow unauthenticated remote code execution and information disclosure. PaperCut users are strongly urged to update their software immediately to mitigate these risks. 
The first vulnerability, identified as
ZDI-CAN-18987 / PO-1216, is an unauthenticated remote code execution flaw. This vulnerability affects both application and site servers. An attacker can exploit this flaw to execute arbitrary code on the affected server without any need for authentication, potentially leading to a complete compromise of the system. This vulnerability scores 9.8 on CVSS v3.1, classifying it as critical.
The second vulnerability, identified as
ZDI-CAN-19226 / PO-1219, is an unauthenticated information disclosure flaw specifically for application servers. This vulnerability allows an attacker to access sensitive user information without authentication, potentially exposing data such as usernames, full names, email addresses, office/department information, and card numbers. Additionally, the attacker may retrieve hashed passwords for internally created PaperCut users. However, password hashes for users synced from directory sources like Microsoft 365, Google Workspace, and Active Directory remain unaffected. Although this vulnerability has not been observed being exploited, it is still essential to address it. The severity of this vulnerability is high, with a CVSS v3.1 score of 8.2.
PaperCut MF or NG version 8.0 or later, on all OS platforms.
PaperCut MF or NG version 15.0 or later, on all OS platforms.
Upgrade to PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, or 22.0.9 and later to address these vulnerabilities.
To check for exploitation, PaperCut recommends the following: 
- Look for suspicious activity in
Application Log, within the PaperCut admin interface.
- Keep an eye out in particular for any updates from a user called
- Look for new (suspicious) users being created, or other configuration keys being tampered with.
- If the Application Server logs happen to be in debug mode, check to see if there are lines mentioning
SetupCompletedat a time not correlating with the server installation or upgrade. Server logs can be found e.g., in
server.logis normally the most recent log file.