CVE-2025-9785 Overview
CVE-2025-9785 affects PaperCut Print Deploy, an optional component that integrates with PaperCut NG/MF to simplify printer deployment and management. The vulnerability stems from improper certificate validation [CWE-295] when administrators configure the component with self-signed certificates. If the trust database on client systems is not fully configured, communication between clients and the Print Deploy server becomes susceptible to man-in-the-middle interception. PaperCut identified that documentation gaps related to SSL configuration could lead administrators to deploy insecure installations.
Critical Impact
Attackers positioned on an adjacent network can intercept or modify printing communications between Print Deploy clients and servers when SSL is misconfigured, exposing sensitive print job data and credentials.
Affected Products
- PaperCut Print Deploy (component of PaperCut NG/MF)
- PaperCut NG installations using Print Deploy with self-signed certificates
- PaperCut MF installations using Print Deploy with self-signed certificates
Discovery Timeline
- 2025-09-03 - CVE-2025-9785 published to NVD
- 2025-09-03 - PaperCut publishes the September 2025 Security Bulletin
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9785
Vulnerability Analysis
The weakness is classified as Improper Certificate Validation [CWE-295]. PaperCut Print Deploy allows administrators to secure client-server communication with a self-signed certificate as an alternative to a certificate issued by a public Certificate Authority (CA). Securing this channel correctly requires the administrator to distribute the signing CA certificate, or the self-signed certificate itself, to both the operating system trust store and the Java key store on every client.
Documentation gaps left this distribution step ambiguous. Administrators following the prior guidance could deploy clients that fail to validate the server certificate properly. Clients in this state accept any certificate presented during the TLS handshake, including one issued by an attacker. The attack requires logical adjacency to the network path between client and server, which limits exposure to local network attackers or compromised intermediate infrastructure.
Root Cause
The root cause is insufficient certificate trust configuration on Print Deploy clients combined with incomplete vendor documentation. Without the legitimate CA or self-signed certificate present in both the OS trust store and the Java key store, the client cannot distinguish a legitimate Print Deploy server from a malicious one.
Attack Vector
An attacker on an adjacent network can perform Address Resolution Protocol (ARP) spoofing, rogue Dynamic Host Configuration Protocol (DHCP) responses, or DNS poisoning to redirect Print Deploy client traffic to an attacker-controlled host. The attacker then presents a forged certificate. A client that does not validate the certificate chain establishes a TLS session with the attacker, who proxies traffic to the real server. This exposes print job content, authentication material, and configuration data flowing between the client and the Print Deploy server.
No public proof-of-concept code has been released, and no realCodeExamples are available. Refer to the PaperCut Security Bulletin September 2025 for technical detail.
Detection Methods for CVE-2025-9785
Indicators of Compromise
- Unexpected TLS certificate fingerprints presented by hosts on the Print Deploy server's IP or hostname.
- ARP table anomalies on client subnets showing duplicate MAC addresses for the Print Deploy server or default gateway.
- DNS responses for the Print Deploy server hostname resolving to unexpected IP addresses.
- Print Deploy client logs showing repeated reconnections or certificate-related warnings.
Detection Strategies
- Audit Print Deploy client installations to verify that the configured CA or self-signed certificate is present in both the operating system trust store and the bundled Java key store (cacerts).
- Inspect TLS sessions to the Print Deploy server using network monitoring to confirm the certificate issuer matches the expected internal CA or PaperCut-issued certificate.
- Enable verbose logging on Print Deploy clients and search for certificate validation warnings or fallback to untrusted connections.
Monitoring Recommendations
- Monitor adjacent network segments hosting Print Deploy clients for ARP spoofing, rogue DHCP, and unauthorized DNS responders.
- Alert on changes to certificate fingerprints associated with the Print Deploy server endpoint.
- Correlate Print Deploy authentication failures with network-layer anomalies in the same broadcast domain.
How to Mitigate CVE-2025-9785
Immediate Actions Required
- Review SSL configuration on every Print Deploy server and client following the updated PaperCut documentation.
- Replace self-signed certificates with certificates issued by a trusted internal or public CA where feasible.
- Where self-signed or private CA certificates remain in use, import them into both the operating system trust store and the Java key store on every client.
- Restrict Print Deploy server network access to known client subnets to reduce adjacent-network exposure.
Patch Information
PaperCut addressed the issue through updated documentation rather than a binary patch. Administrators must follow the corrected SSL configuration guidance published in the PaperCut Security Bulletin September 2025 and verify trust store contents on existing deployments.
Workarounds
- Deploy a certificate from a trusted CA on the Print Deploy server to eliminate reliance on manual trust store updates.
- Enforce 802.1X authentication and dynamic ARP inspection on switches serving Print Deploy clients to reduce man-in-the-middle attack surface.
- Segment the Print Deploy server into a management VLAN with strict access control lists between client and server subnets.
- Use IPsec or a VPN overlay between clients and the Print Deploy server when certificate validation cannot be guaranteed.
# Import a self-signed or private CA certificate into the Java key store on a Print Deploy client
keytool -importcert -alias papercut-print-deploy -file /path/to/papercut-ca.crt \
-keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeit -noprompt
# Import the same certificate into the Linux OS trust store
sudo cp /path/to/papercut-ca.crt /usr/local/share/ca-certificates/papercut-ca.crt
sudo update-ca-certificates
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

