Skip to main content
CVE Vulnerability Database

CVE-2026-6645: PaperCut Print Deploy Client RCE Flaw

CVE-2026-6645 is an RCE vulnerability in PaperCut Print Deploy Client for Windows that enables privilege escalation to SYSTEM level. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-6645 Overview

CVE-2026-6645 is an insecure process execution vulnerability in the pc-printer-updater.exe component of the PaperCut Print Deploy Client for Windows. The component runs with SYSTEM-level privileges and invokes a secondary utility using an unqualified file reference. Windows resolves the executable through its default search order rather than an absolute path. A local attacker who can write to a directory in that search path can plant a malicious binary that the updater loads as SYSTEM. The flaw is tracked under CWE-427: Uncontrolled Search Path Element.

Critical Impact

Successful exploitation grants local attackers SYSTEM-level code execution on hosts running the PaperCut Print Deploy Client, resulting in full host compromise.

Affected Products

  • PaperCut Print Deploy Client for Windows (pc-printer-updater.exe component)
  • PaperCut NG with Print Deploy Client installed
  • PaperCut MF with Print Deploy Client installed

Discovery Timeline

  • 2026-06-22 - CVE-2026-6645 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-6645

Vulnerability Analysis

The pc-printer-updater.exe component performs an internal validation check by spawning a secondary system utility. The invocation references the utility by name only, without supplying a fully qualified path. Windows resolves the name through the standard executable search order, which includes the current working directory and directories listed in the PATH environment variable. This behavior introduces a privilege boundary violation when the parent process runs with elevated rights.

The Print Deploy Client typically operates under the SYSTEM account to manage printer drivers and queues. Any child process inherits that security context. If a non-privileged user controls a directory that Windows searches before the legitimate utility location, the planted binary executes with SYSTEM privileges. This converts a low-privileged local account into a full host compromise.

Root Cause

The root cause is improper resolution of an executable path during process creation. The application calls a process-spawning API with an unqualified program name. It does not pin the lookup to a known directory such as %SystemRoot%\System32 or the installation directory. The defect aligns directly with CWE-427, where untrusted search path elements influence which binary the operating system loads.

Attack Vector

A local attacker first identifies a writable directory that appears in the effective search path of the SYSTEM-context process. The attacker stages a malicious executable that mimics the name of the expected utility. The attacker then triggers the updater workflow that invokes the validation check. Windows resolves the unqualified name to the planted binary, and the loader executes the attacker-controlled code as SYSTEM. Exploitation requires local access and some user interaction, but no privileged credentials.

No public proof-of-concept exploit code has been published. Refer to the PaperCut Security Bulletin June 2026 for vendor-supplied technical details.

Detection Methods for CVE-2026-6645

Indicators of Compromise

  • Unexpected executables present in directories listed in the system PATH environment variable, particularly any world-writable directory preceding System32.
  • Child processes of pc-printer-updater.exe launched from non-standard paths such as user profile directories or temporary folders.
  • New SYSTEM-owned processes appearing immediately after a Print Deploy Client update cycle.

Detection Strategies

  • Audit the effective PATH for the SYSTEM account and flag any entry that grants write access to non-administrative users.
  • Monitor process-creation events (Windows Event ID 4688 and Sysmon Event ID 1) where the parent image is pc-printer-updater.exe and the child image resides outside %ProgramFiles% or %SystemRoot%.
  • Hash-baseline the legitimate child utilities invoked by the Print Deploy Client and alert on deviations.

Monitoring Recommendations

  • Forward endpoint process telemetry to a central analytics platform and build correlation rules around the pc-printer-updater.exe parent process.
  • Track file-write events to directories included in the machine-level PATH to detect planting activity early.
  • Review scheduled tasks and services that trigger Print Deploy Client update cycles for unauthorized changes.

How to Mitigate CVE-2026-6645

Immediate Actions Required

  • Apply the fixed PaperCut Print Deploy Client release referenced in the PaperCut Security Bulletin June 2026.
  • Inventory all Windows endpoints with the Print Deploy Client installed and prioritize systems where standard users have interactive logon rights.
  • Remove any writable, non-administrative directories from the machine-level PATH environment variable.

Patch Information

PaperCut has released a fixed version of the Print Deploy Client that resolves the unqualified path invocation. Refer to the PaperCut Security Bulletin June 2026 for the patched build numbers and upgrade instructions. Deploy the update through standard software distribution channels and verify the installed version on each host after rollout.

Workarounds

  • Restrict write access on every directory referenced in the SYSTEM PATH to administrators only.
  • Apply application-control policies (Windows Defender Application Control or AppLocker) that block execution of unsigned binaries from user-writable locations.
  • Limit interactive local logon rights on hosts that run the Print Deploy Client until the patch is applied.
bash
# Audit the machine PATH and identify entries writable by non-admin users
powershell -Command "[Environment]::GetEnvironmentVariable('Path','Machine') -split ';' | ForEach-Object { Get-Acl $_ 2>$null | Select-Object Path,AccessToString }"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.