CISA has added CVE‑2023‑27351 to its Known Exploited Vulnerabilities catalogue. The flaw affects PaperCut NG/MF and is described as an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.
The vulnerability is an authentication bypass issue that can be exploited over the network without user interaction. It carries a CVSS base score of 8.2, rating it as HIGH severity. A patch is available from the vendor, and mitigations are documented in PaperCut’s security advisories.
Active exploitation has been confirmed, which is why the entry appears in the KEV catalogue. No known ransomware campaign has been linked to this CVE. Federal agencies must apply the required mitigations by the CISA remediation deadline of 4 May 2026.
CISA’s required action is to “Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” This directive binds Federal Civilian Executive Branch (FCEB) agencies; all other organisations are advised to review their exposure and implement the vendor’s guidance where applicable.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2023-27351 and the CISA KEV catalogue at https://www.cisa.gov/known-exploited-vulnerabilities-catalogue.