CVE-2023-39143: PaperCut MF Path Traversal Vulnerability

CVE-2023-39143 Overview

CVE-2023-39143 is a path traversal vulnerability affecting PaperCut NG and PaperCut MF print management software before version 22.1.3 on Windows systems. This vulnerability enables attackers to upload, read, or delete arbitrary files on the target system. When external device integration is enabled—a very common configuration in enterprise environments—this vulnerability leads to unauthenticated remote code execution.

Critical Impact
Unauthenticated attackers can achieve remote code execution on vulnerable PaperCut servers with external device integration enabled, potentially compromising print infrastructure and accessing sensitive documents across the enterprise.

Affected Products

PaperCut MF before version 22.1.3 on Windows
PaperCut NG before version 22.1.3 on Windows
Microsoft Windows (as the underlying operating system)

Discovery Timeline

2023-08-04 - CVE-2023-39143 published to NVD
2025-05-05 - Last updated in NVD database

Technical Details for CVE-2023-39143

Vulnerability Analysis

This path traversal vulnerability (CWE-22) exists in the PaperCut NG and MF print management solution's handling of file operations. The flaw allows remote attackers to traverse outside intended directories and manipulate files anywhere on the system where the PaperCut service has permissions.

The vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely over the network. When external device integration is enabled—a feature commonly used for integrating multi-function printers (MFPs) and other devices—the attack surface expands significantly, allowing attackers to chain the path traversal with file upload capabilities to achieve remote code execution.

Enterprise print management systems like PaperCut often operate with elevated privileges and have access to sensitive document flows across the organization, making this an attractive target for threat actors seeking initial access or lateral movement within networks.

Root Cause

The root cause of CVE-2023-39143 is improper input validation in file path handling routines. The application fails to adequately sanitize user-supplied input containing directory traversal sequences (such as ../ or ..\) before using them in file system operations. This allows attackers to escape the intended directory boundaries and access files throughout the file system.

The vulnerability is specifically triggered through the external device integration functionality, which provides endpoints that process file paths without sufficient validation, enabling the construction of malicious paths that traverse to arbitrary locations on the Windows file system.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to a vulnerable PaperCut server. The attack flow typically involves:

Identifying a PaperCut NG or MF server accessible over the network
Confirming that external device integration is enabled (common in production deployments)
Crafting malicious requests containing path traversal sequences to read, upload, or delete files
For remote code execution, uploading a malicious payload to a location where it will be executed by the system

The vulnerability exploitation can be performed from any network location that has access to the PaperCut server's web interface, making internet-exposed instances particularly vulnerable.

For detailed technical analysis of the exploitation mechanism, refer to the Horizon3 Analysis on CVE-2023-39143.

Detection Methods for CVE-2023-39143

Indicators of Compromise

Unusual file creation or modification in system directories outside PaperCut's normal operating paths
Suspicious HTTP requests to PaperCut server endpoints containing path traversal sequences (../, ..\, or URL-encoded variants)
Unexpected processes spawned as children of the PaperCut service
Web server logs showing access to device integration endpoints with abnormal path patterns

Detection Strategies

Monitor PaperCut web server access logs for requests containing directory traversal patterns such as ../, ..\, %2e%2e%2f, or %2e%2e%5c
Implement file integrity monitoring on PaperCut server installations to detect unauthorized file modifications
Deploy network intrusion detection rules to identify path traversal attack patterns targeting PaperCut endpoints
Review process creation events for any unexpected executables launched by the PaperCut service account

Monitoring Recommendations

Enable verbose logging on PaperCut servers and forward logs to a centralized SIEM for correlation and analysis
Monitor for outbound connections from PaperCut servers to unexpected destinations, which may indicate post-exploitation activity
Implement alerting on any file operations outside standard PaperCut directories performed by the service account
Regularly audit external device integration settings and disable if not required

How to Mitigate CVE-2023-39143

Immediate Actions Required

Upgrade PaperCut NG and PaperCut MF to version 22.1.3 or later immediately
If immediate patching is not possible, disable external device integration as a temporary mitigation
Restrict network access to PaperCut servers to only authorized networks and users
Review PaperCut servers for signs of compromise before and after patching

Patch Information

PaperCut has released version 22.1.3 which addresses this vulnerability. Organizations should download and apply the latest security update from the official PaperCut Security Bulletin July 2023. The bulletin provides detailed patching instructions and additional security hardening recommendations.

Given the critical severity and the potential for remote code execution, patching should be treated as an emergency priority for all affected installations.

Workarounds

Disable the external device integration feature if it is not required for business operations—this removes the RCE attack path
Implement strict network segmentation to prevent untrusted network access to PaperCut servers
Deploy a web application firewall (WAF) with rules to block path traversal patterns in requests to PaperCut endpoints
Enable IP allowlisting to restrict access to PaperCut administrative interfaces to known trusted addresses only

bash

# Verify PaperCut version to confirm patching status
# Check the version in PaperCut admin interface under:
# Options > General > About
# Ensure version is 22.1.3 or higher

# To disable external device integration (temporary workaround):
# Navigate to Options > Advanced > External Hardware Integration
# Uncheck "Enable external hardware integration"
# Apply changes and restart the PaperCut services

CVE-2023-39143 Overview

Critical Impact
Unauthenticated attackers can achieve remote code execution on vulnerable PaperCut servers with external device integration enabled, potentially compromising print infrastructure and accessing sensitive documents across the enterprise.

Affected Products

PaperCut MF before version 22.1.3 on Windows
PaperCut NG before version 22.1.3 on Windows
Microsoft Windows (as the underlying operating system)

Discovery Timeline

2023-08-04 - CVE-2023-39143 published to NVD
2025-05-05 - Last updated in NVD database

Technical Details for CVE-2023-39143

Vulnerability Analysis

Root Cause

Attack Vector

Identifying a PaperCut NG or MF server accessible over the network
Confirming that external device integration is enabled (common in production deployments)
Crafting malicious requests containing path traversal sequences to read, upload, or delete files
For remote code execution, uploading a malicious payload to a location where it will be executed by the system

The vulnerability exploitation can be performed from any network location that has access to the PaperCut server's web interface, making internet-exposed instances particularly vulnerable.

For detailed technical analysis of the exploitation mechanism, refer to the Horizon3 Analysis on CVE-2023-39143.

Detection Methods for CVE-2023-39143

Indicators of Compromise

Unusual file creation or modification in system directories outside PaperCut's normal operating paths
Suspicious HTTP requests to PaperCut server endpoints containing path traversal sequences (../, ..\, or URL-encoded variants)
Unexpected processes spawned as children of the PaperCut service
Web server logs showing access to device integration endpoints with abnormal path patterns

Detection Strategies

Monitor PaperCut web server access logs for requests containing directory traversal patterns such as ../, ..\, %2e%2e%2f, or %2e%2e%5c
Implement file integrity monitoring on PaperCut server installations to detect unauthorized file modifications
Deploy network intrusion detection rules to identify path traversal attack patterns targeting PaperCut endpoints
Review process creation events for any unexpected executables launched by the PaperCut service account

Monitoring Recommendations

Enable verbose logging on PaperCut servers and forward logs to a centralized SIEM for correlation and analysis
Monitor for outbound connections from PaperCut servers to unexpected destinations, which may indicate post-exploitation activity
Implement alerting on any file operations outside standard PaperCut directories performed by the service account
Regularly audit external device integration settings and disable if not required

How to Mitigate CVE-2023-39143

Immediate Actions Required

Upgrade PaperCut NG and PaperCut MF to version 22.1.3 or later immediately
If immediate patching is not possible, disable external device integration as a temporary mitigation
Restrict network access to PaperCut servers to only authorized networks and users
Review PaperCut servers for signs of compromise before and after patching

Patch Information

Given the critical severity and the potential for remote code execution, patching should be treated as an emergency priority for all affected installations.

Workarounds

Disable the external device integration feature if it is not required for business operations—this removes the RCE attack path
Implement strict network segmentation to prevent untrusted network access to PaperCut servers
Deploy a web application firewall (WAF) with rules to block path traversal patterns in requests to PaperCut endpoints
Enable IP allowlisting to restrict access to PaperCut administrative interfaces to known trusted addresses only

bash

# Verify PaperCut version to confirm patching status
# Check the version in PaperCut admin interface under:
# Options > General > About
# Ensure version is 22.1.3 or higher

# To disable external device integration (temporary workaround):
# Navigate to Options > Advanced > External Hardware Integration
# Uncheck "Enable external hardware integration"
# Apply changes and restart the PaperCut services

CVE-2023-39143: PaperCut MF Path Traversal Vulnerability

CVE-2023-39143 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-39143

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-39143

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-39143

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-39143: PaperCut MF Path Traversal Vulnerability

CVE-2023-39143 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-39143

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-39143

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-39143

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform