criticalCISA KEVCVE-2023-27351

PaperCut NG/MF Improper Authentication Vulnerability

PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.

ProductNG/MF
CVSS7.5
EPSS0.7842
UpdatedJuly 9, 2026

Quick answer

PaperCut NG/MF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Treat CVE-2023-27351 as an actively exploited PaperCut NG/MF authentication bypass risk. PaperCut states that affected MF/NG versions include older 15.x-19.2.7, 20.0.0-20.1.6, 21.0.0-21.2.10, and 22.0.0-22.0.8 ranges, and that fixed versions include 20.1.7, 21.2.11, and 22.0.9 or later. Patch Application Servers and Site Servers immediately, especially internet-facing systems. Because CISA and the local record mark exploitation as known, investigate for compromise before considering the issue closed.

  1. Inventory every PaperCut MF and NG Application Server, Site Server, public admin URL, print server, and proxy path.
  2. Identify affected PaperCut versions in the 15.0.0-19.2.7, 20.0.0-20.1.6, 21.0.0-21.2.10, and 22.0.0-22.0.8 ranges.
  3. Upgrade affected systems to PaperCut 20.1.7, 21.2.11, 22.0.9, or a later supported fixed release.
  4. Restrict PaperCut administrative and application endpoints to trusted administrator networks or VPN until patching is verified.
  5. Review PaperCut application logs, server logs, print job activity, admin accounts, integrations, and scheduled tasks for suspicious changes.
  6. Follow PaperCut incident response guidance if exploitation indicators are found, including preserving logs and evidence.
  7. Rotate PaperCut administrator credentials, service credentials, and integration secrets if unauthorized access is suspected.
  8. Rebuild or restore from trusted backups if persistence or unauthorized code execution is identified.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm every PaperCut MF/NG Application Server and Site Server reports 20.1.7, 21.2.11, 22.0.9, or later.
  • Confirm PaperCut admin and application endpoints are not directly exposed to untrusted networks unless explicitly required and protected.
  • Confirm vulnerability management no longer flags CVE-2023-27351 on PaperCut hosts.
  • Review post-upgrade logs for continued authentication bypass attempts or unexpected admin activity.
  • Run a Fixnx scan against public PaperCut hostnames to verify exposure was reduced.

Related categories

Trusted references

FAQ

What is affected by CVE-2023-27351?

PaperCut NG/MF should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.