CVE-2023-27351: PaperCut NG 22.0.5 Authentication Bypass, CVSS 8.2
Summary
CISA added CVE-2023-27351 to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability affects PaperCut NG version 22.0.5 (Build 63914), allowing remote unauthenticated attackers to bypass authentication via improper implementation in the SecurityRequestFilter class. The flaw carries a CVSS 3.0 score of 8.2 (HIGH) and is classified under CWE-287 (Improper Authentication). SSVC assessment rates exploitation as active, automatable, and with total technical impact.
“An attacker can leverage this vulnerability to bypass authentication on the system.”
What changed
CISA has catalogued CVE-2023-27351 in its Known Exploited Vulnerabilities (KEV) catalog, signalling that this PaperCut NG authentication-bypass flaw is actively exploited in the wild. The vulnerability exists in the SecurityRequestFilter class of PaperCut NG 22.0.5 (Build 63914), enabling remote attackers to bypass authentication without credentials.
Organizations running affected PaperCut NG installations should treat this as a priority remediation item. CISA's inclusion of this CVE in the KEV catalog — combined with an SSVC rating of active, automatable, and total technical impact — indicates that federal civilian executive branch agencies are expected to remediate this vulnerability under BOD 22-01 binding requirements. Private-sector entities using PaperCut NG for print management should apply vendor-issued patches without delay.
Archived snapshot
Apr 21, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: Zero Day Initiative
Updated:
2023-04-20
Description
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
CWE 1 Total
Learn more
- CWE-287: CWE-287: Improper Authentication
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.2 | HIGH | 3.0 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Product Status
Learn more Versions 1 Total
Default Status: unknown
affected
- affected at 22.0.5 (Build 63914)
Credits
- Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
References 2 Total
- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
- https://www.zerodayinitiative.com/advisories/ZDI-23-232/
CVE Program
References 2 Total
- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 x_transferred
- https://www.zerodayinitiative.com/advisories/ZDI-23-232/ x_transferred
Authorized Data Publishers
CISA-ADP
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-04-20 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27351 (2026-04-20)
Mentioned entities
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.