CISA Cybersecurity Alerts 5.12.23
Ep 48 | 5.12.23

CISA Alert AA23-131A – Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG.


This is a CISA Cybersecurity Alert.

ID number Alpha Alpha Two Three tack One Three One  Alpha. 

​Original release date: May 11th, 2023. 

FBI and CISA are releasing this joint Cybersecurity Advisory in response to the active exploitation of CVE dash 2023 dash 27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF, software applications that help organizations manage printing services, and enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch for this vulnerability in March 2023.

According to FBI observed information, malicious actors exploited this vulnerability beginning in mid-April 2023, and continue these activities today. In early May 2023 a group self-identifying as the Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the Education Facilities Subsector.

The report linked in the show notes provides detection methods and indicators of compromise associated with Bl00dy Ransomware Gang activity. FBI and CISA strongly encourage users and administrators to immediately apply patches or workarounds if unable to patch. FBI and CISA encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in the advisory documentation. If potential compromise is detected, organizations should apply the incident response recommendations included in the report. 

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by N2K Networks as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations.

A link to this report can be found in the show notes. 

This has been a CISA Cybersecurity Alert.