Print management software developer PaperCut is warning customers to update their software immediately as hackers are actively exploiting vulnerabilities to gain access to vulnerable servers.

PaperCut makes print management software compatible with all major brands and platforms. It is used by large companies, state organizations and educational institutes, while the official website claims that it serves hundreds of millions of people in over 100 countries.

The company claims to have received two reports from cybersecurity expert Trend Micro on January 10, 2023, informing it of two high and critical severity flaws affecting PaperCut MF/NG.

The two faults are:

• ZDI-CAN-18987 / PO-1216: Unauthenticated remote code execution flaw affecting all versions 8.0 or later of PaperCut MF or NG on all OS platforms, for application and site servers. (CVSS v3.1 rating: 9.8 – critical)
• ZDI-CAN-19226 / PO-1219: Unauthenticated Information Disclosure flaw affecting all versions 15.0 or later of PaperCut MF or NG on all OS platforms for Application Servers. (CVSS v3.1 score: 8.2 – high)

Today, the software developer updated its March 2023 security bulletin to warn customers that the vulnerabilities are now being actively exploited by hackers.

“As of April 18, 2023, we have evidence to suggest unpatched servers are being exploited in the wild (specifically ZDI-CAN-18987/PO-1216)” read the review.

“As a precaution, we are unable to reveal too much about these vulnerabilities.”

Trend Micro says they will disclose more information about the vulnerabilities on May 10, 2023, allowing sufficient time for affected organizations to apply security updates.

Users of affected versions are recommended to upgrade to PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. For more instructions on upgrading products, check out this guide.

Versions prior to 19 have reached their “end of life” and are no longer supported, so PaperCut will not offer security updates for these versions. PaperCut recommends businesses purchase an updated license if they are using an older, unsupported version.

PaperCut has no mitigation for the first flaw, while the second can be mitigated by applying the “Allowed List” restrictions under “Options > Advanced > Security > Allowed Site Server IP Addresses” and setting it only to allow IP addresses of verified site servers on your network.

Check for Compromised Servers

PaperCut says there’s no way to determine with 100% certainty if a server has been hacked, but recommends administrators take the following steps to investigate:

1. Look for suspicious activity in Logs > Application Log in the PaperCut admin interface.
2. Keep an eye on, in particular, updates from a user called [setup wizard].
3. Look for new (suspicious) users being created or other configuration keys being tampered with.
4. If your Application Server logs are in debug mode, check for lines that mention SetupCompleted at a time unrelated to the server installation or upgrade. Server logs can be found for example in [app-path]/server/logs/*.* where server.log is normally the most recent log file.

It is essential to point out that while the above may reveal malicious activity, it is possible that the attackers have deleted traces of their activities from the logs.

Therefore, administrators who suspect that their servers have been compromised are advised to perform backups, wipe the application server, and rebuild everything from a safe backup point.