Enterprise print management software is not the first thing that comes to mind when thinking about cryptocurrency security. Yet a critical vulnerability discovered in PaperCut MF and PaperCut NG is sending shockwaves through the cybersecurity community — and crypto holders should be paying close attention. On April 21, security researchers at Huntress disclosed active in-the-wild exploitation of CVE-2023-27350, a zero-day flaw that allows unauthenticated remote code execution on affected servers. By April 23, 2023, the exploit had already been weaponized by ransomware affiliates, putting any organization running unpatched PaperCut instances at immediate risk.
The Exploit Mechanics
CVE-2023-27350 exploits an access control flaw in PaperCut’s web-based management interface. The vulnerability allows an unauthenticated attacker to bypass authentication and execute arbitrary code with SYSTEM-level privileges on Windows or root access on Linux servers. The attack chain is straightforward: the attacker sends a specially crafted HTTP request to the PaperCut server’s web interface, which processes the request without proper authentication checks. Once inside, the attacker gains full administrative control over the server, including the ability to execute operating system commands.
A second vulnerability, CVE-2023-27351, allows attackers to access sensitive files stored on the server. Combined, these two flaws create a potent attack vector. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI confirmed that exploitation began in mid-April 2023, with threat actors deploying ransomware payloads and cryptocurrency mining software on compromised machines. The simplicity of the attack — requiring no specialized tools or zero-day expertise once the vulnerability was public — made it particularly dangerous.
Affected Systems
PaperCut MF and PaperCut NG versions prior to 20.1.7 and 22.0.9 are vulnerable. The software is widely deployed in enterprise environments, universities, government agencies, and managed service providers worldwide. Organizations that have not applied the patch released by PaperCut in March 2023 remain exposed. According to security researchers at Darktrace, a surge in post-exploitation activity on PaperCut servers was detected throughout April, with attackers installing remote access tools, deploying cryptocurrency miners, and exfiltrating data.
For the crypto community, the implications are significant. Many crypto businesses — exchanges, wallet providers, and mining operations — operate within enterprise IT environments that may run PaperCut or similar infrastructure software. A compromised server within a crypto company’s network could serve as an entry point for more targeted attacks against hot wallets, private key management systems, or customer databases.
The Mitigation Strategy
PaperCut released patches for both vulnerabilities in March 2023, but adoption has been slow. Organizations should immediately update to PaperCut MF/NG version 20.1.7 or 22.0.9 or later. If patching is not immediately possible, administrators should restrict access to the PaperCut web interface to trusted internal networks only, blocking all external access through firewall rules. Network monitoring should be enhanced to detect anomalous behavior from PaperCut servers, including unexpected outbound connections, unusual process execution, and large data transfers.
For crypto businesses specifically, the PaperCut incident underscores the importance of segmenting network infrastructure. Print management servers, IoT devices, and other ancillary systems should operate on isolated network segments with no direct access to crypto-asset management systems. Multi-factor authentication should be enforced on all administrative interfaces, and all software — not just crypto-specific tools — should be kept up to date.
Lessons Learned
The PaperCut incident is a textbook example of how peripheral software can become a critical attack vector. Crypto holders and businesses often focus exclusively on securing wallets, private keys, and smart contracts while overlooking the broader IT infrastructure that supports their operations. The reality is that attackers target the weakest link, and unpatched enterprise software frequently provides that opening. The speed at which CVE-2023-27350 was weaponized — from disclosure to active ransomware deployment in under 48 hours — demonstrates that threat actors are monitoring vulnerability disclosures closely and moving faster than ever.
User Action Required
If you operate or work within an organization that uses PaperCut software, verify the version immediately. If it is not patched, escalate the issue to your IT security team. Crypto businesses should conduct an audit of all non-crypto software running on their networks and ensure that patch management extends beyond the blockchain stack. Individual users should be aware that phishing attacks often follow major vulnerability disclosures — attackers may send emails claiming to be security updates from PaperCut or other vendors. Always download patches directly from the vendor’s official website.
Disclaimer: This article is for informational purposes only and does not constitute professional cybersecurity advice. Always consult with qualified security professionals for specific risk assessments.
nobody expects their print server to be a crypto attack vector. CVE-2023-27350 getting SYSTEM level access from an unauthenticated HTTP request is terrifying.
unauthenticated RCE on a print server is nightmare fuel. and patching was available for days before the mass exploitation. inertia kills
the fix was literally a version bump. 2 clicks. orgs got pwned because nobody has print servers on their patching schedule
huntress caught this early. by the time CISA published their advisory there were already ransomware affiliates deploying cryptominers on compromised papercut boxes
^ this. patch your stuff people. papercut pushed the fix april 19 and orgs still got hit days later because nobody updates print management software
print servers are the ultimate blind spot. everyone hardens web servers and databases but the print management app from 2019 gets ignored
huntress catching it before CISA is becoming a pattern. they found the connectwise bug early too. small security firms outpacing government advisories at this point
the pivot from print server access to crypto wallet theft is the part that should scare everyone. lateral movement is trivial once you have SYSTEM.
SYSTEM to crypto wallet in 2 hops. most orgs have zero monitoring on their print servers because who watches printer traffic lol
who watches printer traffic lol is exactly why attackers love print servers. zero monitoring, outdated firmware, and often domain-joined. triple threat