PaperCut NG/MF Under Active Attack: Why a 2023 Bug Re-enters the CISA-KEV a Year Later

8 Min. reading time · Status: 23.04.2026

On April 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) re-added PaperCut NG/MF to its Known Exploited Vulnerabilities catalog via CVE-2023-27351. A vulnerability from spring 2023 is being actively exploited again in early 2026. For security teams in DACH (Germany, Austria, Switzerland) companies, this is less of a surprise than a situation assessment: Print infrastructure is operationally considered “done with” and is precisely why it becomes an entry point. Those who don’t start an inventory sweep now will be chasing an incident that users feel early and CISOs learn about late.

Key Takeaways

CVE-2023-27351 (PaperCut NG/MF) has been back in the CISA-KEV (Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities) catalog since April 20, 2026. Federal agencies must patch by early May.
The vulnerability allows authentication bypass and execution of arbitrary code via the web management port 9191/9192.
Originally reported in March 2023, it’s being actively exploited again in April 2026 because many installations were never patched or hardened incorrectly.
All versions before 20.1.7, 21.2.11, and 22.0.9 are affected. Current 23.x and 24.x versions are protected against the original vector.
Security teams need a 72-hour inventory sweep across all PaperCut instances, supplemented with WAF rules, network segmentation, and hunt queries in SIEM and EDR systems.

Why a 2023 Bug is Back on Stage in 2026

What is CVE-2023-27351? CVE-2023-27351 is a critical authentication bypass in the PaperCut NG and MF management console, rated with a CVSS score of 8.1. An unauthenticated attacker can impersonate users or administrators through the default exposed web management port and execute arbitrary scripts on the server. The root cause lies in faulty session validation within a third-party scripting layer used in PaperCut for automating print jobs.

The bug became public in March 2023, and PaperCut released patches the same month. CISA had already added the vulnerability to its KEV (Known Exploited Vulnerabilities) catalog once in 2023. Why is it resurfacing now? The pattern is not uncommon. Print infrastructure often doesn’t rank high in patching routines for many organizations. Many installations were hardened provisionally in 2023 but never upgraded to current release lines. Meanwhile, exploit chains for this vulnerability have been publicly documented for over a year, including Metasploit modules and Nuclei templates. The re-exploitation window remains open as long as unpatched instances exist on the network.

This resurgence fits into a broader context. The print server is rarely a standalone system but is typically privileged within Active Directory, with access to file shares, email relay, and often to the corporate printer’s configuration database. A compromised PaperCut server provides attackers with a platform from which lateral movement, credential harvesting, and ransomware deployment become likely. An incident that starts at PaperCut doesn’t end there.

8.1

CVSS Score for CVE-2023-27351: Authentication Bypass with RCE Consequence via PaperCut Management Port

Source: NVD, CISA KEV entry as of April 20, 2026

Which versions are affected and what has changed

The patch matrix is manageable but critical for a clean inventory sweep. All versions prior to PaperCut NG/MF 20.1.7, 21.2.11, and 22.0.9 are affected and actively exploitable. Organizations running these versions must update immediately. The 23.x and 24.x release lines have included the original fix since release, but with conditions. Those on 23.x who haven’t disabled the scripting engine via configuration should check if their patch level includes the referenced hotfixes. Users running 24.x are safe in most scenarios but should continue working through the exposure checklist.

A pattern that will become more prominent by 2026 is the combination of unknown internet exposure and lack of hardening. PaperCut instances in many organizations have grown organically rather than being planned. There are central servers in the data center, but also departmental instances on Windows servers that were set up unofficially. Shadow PaperCut instances in subsidiaries or production sites evade traditional scans because they’re not included in IT asset management. According to Shodan data surveys, the probability that at least one of these instances is reachable from the internet is in the double-digit percentage range.

The 72-Hour Inventory Sweep for Security Teams

The response to the reactivation isn’t a blue-light program but a structured three-day approach. Those who work methodically will have clarity on attack surface, patch status, and detection coverage within 72 hours.

Day 1

Inventory Sweep. Find all PaperCut instances across headquarters, locations, and subsidiaries. Perform Nmap scan on ports 9191/9192, run SIEM queries for PaperCut user agents, and check asset databases. In parallel: check external visibility via Shodan, Censys, or your own attack surface management.

Day 2

Verify patch status. Map each found instance against the version matrix. Not just the release line, but the specific build number. For shadow instances: identify owners, verify legitimacy, and order patch plans or shutdowns.

Day 3 morning

Hardening and Detection. Place the management port behind a WAF reverse proxy or IP allowlist, no direct internet exposure. Enable SIEM rules for PaperCut-specific log events, and run EDR hunts for suspicious PowerShell launches from the PaperCut process context.

Day 3 afternoon

Documentation and Escalation. Enter status in compliance tracking, provide incident handler contacts for unpatched instances, and include KRITIS (Critical Infrastructure Protection) or NIS2 (Network and Information Systems Directive 2)-relevant systems in the incident playbook. Secure a brief management note over the weekend.

The sweep is intentionally kept concise. Those who fall into a multi-week analysis phase will lose the time window compared to attackers. The playbook works when Operations, Security, and Asset Management work together on a single ticket rather than waiting for individual specialized areas.

What must happen now

Upgrade all PaperCut instances to current release lines (24.x recommended)
Don’t expose the management port to the open internet, implement a WAF or bastion host
Disable the scripting engine if not actively needed for automation
Add shadow print servers to the asset inventory and establish ownership

What Security Teams Should Not Do Now

Dismiss the patch as trivial and delegate to print admins without feedback
Keep older installations running “for emergencies” if patch incompatibilities arise
Rely on product release notes without verifying patch status by build number
Activate WAF rules without a test phase and accidentally block printing operations

How the PaperCut Incident Fits into the Q2 2026 Landscape

The PaperCut incident is not an isolated case. Those tracking CISA-KEV movements since early April 2026 can see a pattern. Cisco Catalyst SD-WAN Manager, Apache ActiveMQ, and F5 BIG-IP plus Citrix NetScaler have been reactivated or re-added in quick succession. The common denominator isn’t a technical trend, but an operational pattern. Enterprise products that are initially deployed and then patch-neglected become targets for exploit brokers because exploits scale well. A group with a working PaperCut exploit chain can find enough targets via Shodan to monetize them within a week.

For security teams in regulated industries, the situation is compounded by two additional factors. First, NIS2 and the KRITIS umbrella legislation accelerate incident reporting requirements. An unpatched system that is known to be actively exploited and leads to an incident weakens the evidentiary position with the BSI (Federal Office for Information Security) reporting center. Second, insurers are increasingly using granular patch status questionnaires. Organizations in 2026 that cannot document a coherent history of PaperCut patches risk facing uncomfortable questions or stricter exclusions when renewing their policies.

The takeaway may be unglamorous but is fundamental. Reactivated KEV entries aren’t cause for panic but rather a signal. They show which categories of operating systems, middleware, and industry-specific software chronically receive insufficient patch attention. PaperCut won’t be the last 2023 entry to resurface in 2026. Security teams that don’t continuously align their asset management with KEV movements will learn the same lesson every six to nine months. Once established as a routine, reactivations are treated as regular work, not incidents.

From a publisher’s perspective, there’s an additional point of practical significance for CISOs in mid-sized organizations. Those needing a clear situational narrative for the next board meeting or supervisory board report will find in the CISA-KEV reactivation a well-documented reference line. A statement like “we conducted a complete inventory sweep within 72 hours of the CISA notification, verified all instances, and updated affected systems before the federal deadline” provides boards with an accountable response without room for interpretation. Board communication on security issues often suffers from exaggeration or understatement. The KEV line removes both from the discussion and provides a common language between security operations, compliance, and management.

What CISOs should prepare for the next board meeting

The PaperCut case provides a good opportunity to sharpen the security dashboard logic for the board. Three elements should be included in every board template at the beginning of each quarter. First, a patch status indicator for KEV entries: number of open, confirmed KEV vulnerabilities in-house, broken down by risk class. Second, an exposure indicator: Which of these systems are reachable from the internet without a WAF or bastion in between? Third, a detection indicator: Which of these systems have active EDR or SIEM rules that recognize common exploit chains?

These three indicators are robust against trend fluctuations. They refer to an external, verifiable reference source. They are communicable despite their complexity. And they allow for measuring progress or regression across quarters without having to discuss every new CVE. Many security dashboards struggle with exactly this: they are either too technical or too political. A KEV-based logic lands somewhere in between.

For the supervisory board discussion, a short narrative about patch culture is also helpful. How long does it take between a CISA KEV reactivation and a completed patch deployment in-house? Whoever can present this figure as a median and as a 95th percentile over the last year has a basis for discussion. Those who cannot will face the unpleasant version of these questions during the next incident. The questions will come reliably, but the timing is uncertain.

A second building block is the supplier perspective. PaperCut is an example of a mid-sized software manufacturer with global distribution. In the board conversation, it’s worth asking which other providers of this category are in use in-house and how the patch dialogue with them works. Manufacturer transparency about end-of-support cycles, security patch windows, and reliable incident communication is no longer a luxury feature today, but a hard purchasing requirement for every strategic software supplier. Procurement departments that include this in framework agreements significantly reduce the number of future surprises.

The third preparation is softer but no less important. Security teams that struggle with misunderstanding in their daily routine find a communicative opportunity in such reactivations. No CISO needs to create panic when CISA has already named the situation. Internal communication changes when external authorities contextualize the topic. Those who use this effect can advance patch culture in the organization without being seen as a brake. This is not a rhetorical trick, but teamwork with clearly distributed roles between Security, IT Operations, Procurement, and Management.

Frequently Asked Questions

How much time do federal agencies have to patch CVE-2023-27351?

The CISA (Cybersecurity and Infrastructure Security Agency) has linked the reactivation to a patch deadline of early May 2026. U.S. Federal Civilian Executive Branch Agencies must patch by then. For German companies, there’s no hard CISA requirement, but the deadline serves as a useful reference for compliance teams because it’s well-documented and counts as a reference in case of incidents.

What differentiates CVE-2023-27351 from CVE-2023-27350?

CVE-2023-27350 was the original Remote Code Execution vulnerability in PaperCut NG/MF that was actively exploited in March 2023 and attributed to ransomware groups. CVE-2023-27351 is the parallel authentication bypass that was reported in the same timeframe and is now back in focus. Both vulnerabilities are addressed with the same patch level, but attackers can leverage different access methods.

Which log events should security teams monitor in their SIEM?

Failed login attempts at the PaperCut management port, unexpected script executions from the PaperCut service context, unusual PowerShell or cmd invocations by the print service, and lateral movement signals such as new local admin accounts following PaperCut access. Many EDR vendors have updated their detection packs for this purpose.

Is blocking the management port via firewall sufficient instead of patching?

No. Network segmentation is an important complement but doesn’t replace patching. Organizations that only segment still have a vulnerable component in their network that can serve as a springboard during an internal incident or when admin workstations are compromised. Defense-in-Depth means patching plus segmentation plus detection.

What does the PaperCut manufacturer say about re-exploitation?

PaperCut has designated release lines 23.x and 24.x as recommended versions and explicitly noted that the reactivation in the KEV (Known Exploited Vulnerabilities) catalog isn’t a new bug but a reminder that too many installations are running outdated versions. The manufacturer provides migration guides and hardening checklists.

How should a board evaluate the current situation?

A board should use the reactivation to question the continuity of patching processes. The real message isn’t the individual CVE but the pattern. Organizations that still have 2023 vulnerabilities open in 2026 have a blind spot in asset and patch management that no single fix will address. This belongs in the next Risk Committee meeting, not in the Security Operations daily log.