SHIPPED WORK2025

CVE-2023-27350 · PaperCut RCE PoC

Name: CVE-2023-27350 · PaperCut RCE PoC · One HTTP request, full SYSTEM shell · the PaperCut CVE-2023-27350 auth bypass, live from recon to reverse shell.
Uploaded: 2025-01-01
Duration: 4 s
Description: PoC exploiting the PaperCut MF/NG authentication-bypass flaw (CVSS 9.8). The SetupCompleted page skips auth, and the Print Scripting console runs arbitrary code from there · our script chains both and drops a Windows SYSTEM-level reverse shell on the attacker machine. Full end-to-end demo: recon, payload, shell.

One HTTP request, full SYSTEM shell · the PaperCut CVE-2023-27350 auth bypass, live from recon to reverse shell.

PoC exploiting the PaperCut MF/NG authentication-bypass flaw (CVSS 9.8). The SetupCompleted page skips auth, and the Print Scripting console runs arbitrary code from there · our script chains both and drops a Windows SYSTEM-level reverse shell on the attacker machine. Full end-to-end demo: recon, payload, shell.

THE PROBLEM

-Print servers rarely get security audits yet sit in the middle of the network
-'Hidden' admin pages are often reachable without auth — SetupCompleted is the textbook case
-Print Scripting runs JS-spawned processes with no sandbox · that becomes SYSTEM

WHAT THE CLIENT GOT

Concrete proof that a forgotten PaperCut box gets owned in minutes
Shows why closing ports isn't the fix · logic flaws are the real attack surface
Exact remediation path: upgrade to 20.1.7 / 21.2.11 / 22.0.9+ and segment the print LAN

WHAT WE DELIVERED

+Exploits PaperCut MF/NG below 20.1.7 / 21.2.11 / 22.0.9
+Python PoC · 1 HTTP POST to bypass, 1 to run code
+SYSTEM / root reverse shell back to the attacker box
+Clean recon → exploit → shell demo in 4 seconds

STACK

Python
requests
PaperCut MF/NG
Netcat