Introduction
On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) escalated the threat landscape by adding eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This update includes critical security flaws in PaperCut and Cisco Catalyst SD-WAN Manager, both of which have confirmed evidence of active exploitation in the wild.
For defenders, this is not a theoretical exercise. The inclusion of these flaws in the KEV catalog signals that threat actors are already leveraging them to gain initial access and move laterally within networks. Federal civilian executive branch agencies (FCEB) have been mandated to apply patches by April and May 2026. For private organizations, the deadline is effectively "now." Given the privileged context of print management and SD-WAN infrastructure, failing to remediate these vulnerabilities provides a perfect gateway for ransomware operations.
Technical Analysis
CVE-2023-27351: PaperCut Improper Authentication (CVSS 8.2)
- Affected Products: PaperCut MF and PaperCut NG.
- Vulnerability Type: Improper Authentication leading to Remote Code Execution (RCE).
- Platform: Windows and Linux servers running the PaperCut Application Server.
Defender's Breakdown: CVE-2023-27351 allows an unauthenticated attacker to bypass authentication mechanisms in the PaperCut web interface. The vulnerability is triggered by sending a specific HTTP request to a vulnerable endpoint. Once authenticated (fraudulently), the attacker can exploit existing functionality to execute arbitrary system commands.
The PaperCut service often runs with high privileges (SYSTEM on Windows, root on Linux) to manage printer drivers and spoolers. Consequently, successful exploitation grants the attacker immediate control over the host, allowing for deployment of webshells, credential dumping, and ransomware encryption.
Exploitation Status:
- CISA KEV: Added due to active, in-the-wild exploitation.
- Availability: Proof-of-concept (PoC) exploits are publicly available, lowering the barrier to entry for script kiddies and automated scanners.
Cisco Catalyst SD-WAN Manager Flaws
While specific CVE details for the SD-WAN Manager were less granular in the initial report, CISA has flagged three separate vulnerabilities impacting this platform. These devices are critical network ingress/egress points. Exploitation here allows attackers to manipulate routing tables, intercept traffic, or pivot into the core network. Active exploitation has been confirmed, requiring immediate isolation of management interfaces until patches are applied.
Detection & Response
Detecting exploitation of PaperCut (CVE-2023-27351) requires focusing on the behavior of the java.exe process (which hosts the PaperCut application) spawning unauthorized child processes like cmd.exe or powershell.exe.
SIGMA Rules
---
title: PaperCut Web Interface Spawning Shell - Potential CVE-2023-27351 Exploitation
id: 9c2f3e4a-5b6d-7e8f-9a0b-1c2d3e4f5a6b
status: experimental
description: Detects exploitation of CVE-2023-27351 where the PaperCut Java process spawns a Windows command shell or PowerShell.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2023-27351
author: Security Arsenal
date: 2026/04/07
tags:
- attack.initial_access
- attack.execution
- attack.t1059.001
- cve.2023.27351
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains:
- 'papercut'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrative debugging (rare)
level: critical
---
title: Suspicious File Creation in PaperCut Directory
id: 1d2e3f4a-5b6c-7d8e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects creation of suspicious executables or scripts within the PaperCut installation directory, a common tactic for persistence post-exploitation.
references:
- https://attack.mitre.org/techniques/T1505/
author: Security Arsenal
date: 2026/04/07
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: file_create
product: windows
detection:
selection:
TargetFilename|contains:
- '\PaperCut\'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ps1'
- '.bat'
- '.jsp'
- '.war'
filter_legit:
Image|contains:
- '\PaperCut\'
condition: selection and not filter_legit
falsepositives:
- Software updates or legitimate plugin installation
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for PaperCut Java process spawning suspicious shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "java.exe"
| where InitiatingProcessCommandLine contains "papercut"
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, FolderPath
| extend HostName = DeviceName
| order by Timestamp desc
Velociraptor VQL
// Hunt for PaperCut exploitation artifacts on Linux/Windows endpoints
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid as ParentPid, Parent.Name as ParentName
FROM pslist()
WHERE Name IN ("cmd.exe", "powershell.exe", "pwsh", "bash", "sh")
AND Parent.Name =~ "java"
AND Parent.CommandLine =~ "papercut"
Remediation Script (PowerShell)
# Check PaperCut Version for CVE-2023-27351 Vulnerability
# Vulnerable: PaperCut MF/NG < 20.1.7, < 21.2.11, < 22.0.9, < 22.1.4
$RegPaths = @(
"HKLM:\SOFTWARE\PaperCut MF International",
"HKLM:\SOFTWARE\PaperCut NG International",
"HKLM:\SOFTWARE\Wow6432Node\PaperCut MF International",
"HKLM:\SOFTWARE\Wow6432Node\PaperCut NG International"
)
Write-Host "[*] Checking for PaperCut installations..." -ForegroundColor Cyan
foreach ($Path in $RegPaths) {
if (Test-Path $Path) {
$Version = (Get-ItemProperty -Path $Path -ErrorAction SilentlyContinue).version
$InstallPath = (Get-ItemProperty -Path $Path -ErrorAction SilentlyContinue)."app-dir"
if ($Version) {
Write-Host "[+] Found PaperCut Version: $Version at $InstallPath" -ForegroundColor Yellow
$Parts = $Version.Split('.')
if ($Parts.Length -ge 3) {
$Major = [int]$Parts[0]
$Minor = [int]$Parts[1]
$Patch = [int]$Parts[2]
$IsVulnerable = $false
# Logic for specific vulnerable branches
if ($Major -eq 20 -and $Minor -eq 1 -and $Patch -lt 7) { $IsVulnerable = $true }
if ($Major -eq 21 -and $Minor -eq 2 -and $Patch -lt 11) { $IsVulnerable = $true }
if ($Major -eq 22 -and $Minor -eq 0 -and $Patch -lt 9) { $IsVulnerable = $true }
if ($Major -eq 22 -and $Minor -eq 1 -and $Patch -lt 4) { $IsVulnerable = $true }
if ($IsVulnerable) {
Write-Host "[!] ALERT: System is VULNERABLE to CVE-2023-27351." -ForegroundColor Red
} else {
Write-Host "[+] System appears patched based on version check." -ForegroundColor Green
}
}
}
}
}
Remediation
PaperCut (CVE-2023-27351):
- Patch Immediately: Update to the latest stable version. Minimum fixed versions:
- 20.1.x: Update to 20.1.7 or later.
- 21.2.x: Update to 21.2.11 or later.
- 22.0.x: Update to 22.0.9 or later.
- 22.1.x: Update to 22.1.4 or later.
- Network Segmentation: If patching is delayed, restrict access to the PaperCut admin interface (ports 9191/9192) strictly to management subnets.
- Audit: Review logs for signs of exploitation dating back to the disclosure of this vulnerability.
Cisco Catalyst SD-WAN Manager:
- Apply Updates: Refer to the specific Cisco security advisory associated with the CISA KEV update and apply the relevant patches for SD-WAN Manager.
- Review Access: Ensure the management interface is not exposed to the public internet.
CISA Deadlines:
- Cisco SD-WAN Manager: Patch by April 21, 2026.
- PaperCut CVE-2023-27351: Patch by May 13, 2026.
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.