What happened

CISA added CVE-2023-27351 (PaperCut NG/MF) to the Known Exploited Vulnerabilities catalog on 2026-04-20, with a remediation due date of 2026-05-04 CISA KEV. The flaw is an improper authentication issue (CWE-287) that allows remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class NVD CVE-2023-27351. CISA flags this entry as used in ransomware campaigns, elevating urgency for patch or mitigation CISA KEV.

The CVE is formally tracked by MITRE and NIST with aligned identifiers and description, confirming product impact as PaperCut NG/MF MITRE CVE-2023-27351, and classifying the weakness as CWE-287 Improper Authentication NVD CVE-2023-27351.

Why it matters

When authentication can be bypassed, access control collapses and administrative surfaces can be reached without credentials—this is the essence of CWE-287 Improper Authentication NVD CWE mapping. KEV inclusion means exploitation is observed in the wild and remediation is prioritized by mandate for federal agencies within the listed window CISA KEV. The ransomware-use designation amplifies the risk profile for any Internet-exposed or high-privilege PaperCut deployment CISA KEV.

For environments where PaperCut ties into identity, billing, or fleet management, an auth bypass on the controller service becomes a direct path to sensitive configuration and data; this aligns with the impact expectations of CWE-287 weaknesses NVD entry.

Technical detail

CVE-2023-27351 affects PaperCut NG/MF and stems from an Improper Authentication condition in request handling; specifically, authentication can be bypassed via the SecurityRequestFilter class on vulnerable builds CISA KEV. The vulnerability is categorized under CWE-287 and permits a remote attacker to access functionality without valid credentials on affected installations NVD CVE record. The identity and product scoping are corroborated by the canonical CVE record maintained by MITRE MITRE record.

CISA’s entry sets the context: confirmed exploitation, ransomware involvement, and a federal remediation deadline (2026-05-04), signaling defenders to treat this as an active threat rather than a theoretical risk CISA KEV.

Defense

• Patch/mitigate now: Follow vendor guidance as directed by CISA KEV and complete remediation by the listed due date (2026-05-04) where applicable CISA KEV.
• Reduce exposure: Until patched, restrict PaperCut management interfaces to trusted networks/VPN and remove direct Internet exposure; KEV status indicates active exploitation pressure CISA KEV.
• Validate versions and scope: Confirm the impacted application is PaperCut NG/MF as defined in the CVE, and ensure all nodes/HA pairs are uniformly remediated MITRE CVE.
• Log review and hunting: Scrutinize authentication and admin-action logs for requests that succeed without expected credential flows or session establishment—consistent with an Improper Authentication weakness NVD CWE mapping.
• Ransomware readiness: Given CISA’s ransomware use note, pre-stage isolation for the PaperCut server and downstream print shares; watch for lateral movement triggers post-access CISA KEV.
• Compliance: For federal environments, align actions to the KEV due date and the catalog’s required action language (apply mitigations per vendor instructions and applicable BOD 22-01 cloud guidance) CISA KEV.

Lyrie Verdict

Auth-bypass defects like CVE-2023-27351 eliminate the signal of “failed logins,” collapsing human-in-the-loop alerting windows. KEV status and ransomware use mean this moves at operator speed, not helpdesk pace CISA KEV. Lyrie’s stance: treat PaperCut as a protected control-plane service and enforce autonomous detection on the request-path semantics—flag credential-less transitions to privileged routes and instantaneously quarantine anomalous PaperCut service behavior. Pair that with machine-speed containment for any host presenting authentication-free access patterns consistent with CWE-287 classes NVD entry. In short: do not wait for users to report print failures—instrument and auto-respond at packet and process speed.