PaperCut's other bug just became a ransomware vector again

CISA added CVE-2023-27351 to the Known Exploited Vulnerabilities catalog on April 20, 2026, with a compliance deadline of May 4. The bug is a CVSS 8.2 authentication bypass in PaperCut NG and MF’s SecurityRequestFilter class. It lets an unauthenticated attacker pull usernames, email addresses, hashed passwords, and (if the billing feature is enabled) payment card numbers directly out of the print management server. Microsoft attributes the renewed exploitation to Storm-1175, a Medusa ransomware affiliate operating with sub-24-hour time from initial access to payload deployment.

This is a three-year-old vulnerability. You probably patched PaperCut in 2023. The question is whether you patched the right one.

The shadow bug

In March 2023, PaperCut disclosed two vulnerabilities in the same advisory. CVE-2023-27350 was the headline: a CVSS 9.8 remote code execution via the SetupCompleted class. It got wall-to-wall coverage. Cl0p hit it through Lace Tempest. LockBit operators chained it. Bl00dy Gang ran it against schools. Iranian state groups (Mint Sandstorm, Mango Sandstorm) built tooling around it. That bug was loud, dramatic, and had its own news cycle.

CVE-2023-27351 sat next to it in the same advisory. Authentication bypass. Data disclosure, not code execution. CVSS 8.2, which in a world where 9.8 is in the same paragraph, reads like a footnote. Many organizations patched -27350 because it was the one screaming at them from every threat intel feed. Whether -27351 was also closed depended on which version you upgraded to, whether you verified post-patch, and whether your change ticket said “patch PaperCut RCE” or “upgrade PaperCut to 22.0.9+.”

The versions that fix both bugs: 20.1.7, 21.2.11, and 22.0.9. If you jumped to any of those, you’re covered on both. But if you applied a workaround for -27350 (restricting SetupCompleted access) and called it done, -27351 is still open. The auth bypass lives in a different class (SecurityRequestFilter), and restricting one does not close the other.

What Storm-1175 is doing with it

Storm-1175 is a Microsoft-tracked threat cluster affiliated with Medusa ransomware operations. Their operational signature is speed: initial access to encryption in under 24 hours. The authentication bypass gives them a clean entry point. They are not running code on the PaperCut server (that would be -27350). They are extracting credentials, then moving laterally with valid authentication material.

The data exposed by -27351 is exactly what you need for credential-stuffing into adjacent systems: usernames, email addresses, hashed passwords. In education environments (PaperCut’s largest vertical), those credentials often map directly to Active Directory accounts. A hashed password from PaperCut plus password reuse gives you domain authentication without touching a single exploit.

This is why the bug came back. It is not a flashy initial-access vector. It is a quiet credential farm that feeds the next stage of the kill chain.

Who is exposed

PaperCut NG and MF versions 15.0 through 22.0.5 are affected. In 2023, Shodan showed approximately 1,700 internet-facing PaperCut instances. PaperCut’s own numbers at the time suggested about 2% of their install base remained unpatched even after active exploitation began for -27350. Education institutions are the largest single vertical.

If your PaperCut instance sits behind a VPN or firewall and does not expose ports 9191 or 9192 to the internet, you are not in the blast radius for opportunistic scanning. But if Storm-1175 already has internal network access through another vector (phishing, VPN exploit, initial broker purchase), an unpatched PaperCut server on the LAN is a credential goldmine that does not require any further exploitation to query.

What to do this week

Check your installed version. Log into PaperCut’s admin console, look at the About page. If you are below 20.1.7 (for the 20.x branch), 21.2.11 (for 21.x), or 22.0.9 (for 22.x), you are exposed to both -27350 and -27351. If you are on 22.0.6 through 22.0.8, you patched the RCE but not the auth bypass.

If you cannot patch immediately, firewall ports 9191 and 9192. Block external access to the PaperCut web interface. The built-in IP allowlist feature in PaperCut can restrict admin access to specific subnets. This does not fix the bug, but it shrinks the attack surface to internal-only.

Check PaperCut logs for anomalous access. Look for admin logins from unexpected sources, unusual SecurityRequestFilter activity, or print script modifications. If you run Splunk, there are existing detection rules for PaperCut exploitation. A Sigma rule also exists for this family of activity.

If the billing feature was ever enabled, assume card data was accessible. Even if no exfiltration is confirmed, the exposure window matters for PCI compliance. Talk to your compliance team before Thursday.

Check whether credentials exposed by PaperCut are reused elsewhere. Usernames and hashed passwords from PaperCut’s database may match Active Directory or SSO accounts, particularly in education environments where print credentials are often synced from the directory. If those hashes are crackable (weak algorithm or weak passwords), lateral movement becomes trivial.

The operational lesson

The CISA KEV deadline was May 4. If you are reading this on the 5th, you are already past the federal compliance date. For non-federal organizations, the KEV catalog is still the best proxy for “this is being exploited right now, not hypothetically.” The deadline is a signal, not a legal requirement for most shops.

The broader pattern here is worth naming. When two vulnerabilities ship in the same advisory and one is dramatically more severe, the less severe bug gets triaged as “handled” by proximity. Change tickets close. Scanners stop flagging. Three years pass. Then a new actor picks up the quieter bug because everyone assumed it was covered, and nobody went back to verify.

If your patch validation process checks “is the CVE fixed” rather than “is the installed version at or above the fixed version for all disclosed issues,” this is the gap that catches you. One advisory, two CVEs, two different vulnerable classes, one upgrade path that covers both. The teams that upgraded to 22.0.9 are fine. The teams that applied the RCE workaround and closed the ticket are not.

Print servers are not glamorous infrastructure. They do not get the same patching urgency as domain controllers or edge firewalls. But they sit on the network, they hold credentials, and they are running web services that threat actors have tooling for. Storm-1175 is not exploiting PaperCut because print management is interesting. They are exploiting it because it is forgotten.