{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/papercut-ng/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-6180"},{"id":"CVE-2026-6418"},{"id":"CVE-2026-7824"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PaperCut Embedded App","PaperCut NG/MF"],"_cs_severities":["high"],"_cs_tags":["vulnerability","papercut","data-breach","security-bypass"],"_cs_type":"advisory","_cs_vendors":["PaperCut"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in PaperCut, a print management software, posing significant risks to data confidentiality and security policy enforcement. Specifically, PaperCut Embedded App versions prior to 2.2.0 on Ricoh devices and PaperCut NG/MF versions prior to 25.0.11 are affected. Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to sensitive data, bypass security controls, and potentially compromise the entire print management system. The vulnerabilities were disclosed in a PaperCut security bulletin released on May 5, 2026. Defenders should apply the vendor-provided patches to mitigate these risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable PaperCut NG/MF server or PaperCut Embedded App on a Ricoh device.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2026-6180, CVE-2026-6418 or CVE-2026-7824 to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eUpon successful exploitation, the attacker bypasses authentication mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive print job data, including documents and user information.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies security policies to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over print queues and system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker can intercept, modify, or delete print jobs.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to a significant breach of data confidentiality, allowing attackers to access sensitive documents and user information. The bypassing of security policies could lead to unauthorized access and control over the print management system. This could result in the compromise of sensitive data, disruption of printing services, and potential reputational damage for organizations using vulnerable versions of PaperCut.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PaperCut NG/MF to version 25.0.11 or later to patch the identified vulnerabilities, as referenced in the PaperCut security bulletin.\u003c/li\u003e\n\u003cli\u003eUpgrade PaperCut Embedded App on Ricoh devices to version 2.2.0 or later.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting PaperCut servers, focusing on HTTP requests associated with the exploitation of CVE-2026-6180, CVE-2026-6418, and CVE-2026-7824.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T00:00:00Z","date_published":"2026-05-05T00:00:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-papercut-vulns/","summary":"Multiple vulnerabilities in PaperCut Embedded App versions prior to 2.2.0 on Ricoh devices and PaperCut NG/MF versions prior to 25.0.11 allow attackers to compromise data confidentiality and bypass security policies, potentially leading to unauthorized access and control.","title":"Multiple Vulnerabilities in PaperCut Allow Data Confidentiality Breach and Security Policy Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-papercut-vulns/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PaperCut NG"],"_cs_severities":["high"],"_cs_tags":["papercut","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":["PaperCut"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting exploitation attempts against PaperCut NG servers, a print management software solution widely used in educational and enterprise environments. Publicly accessible PaperCut NG servers are being targeted by attackers leveraging known vulnerabilities to gain unauthorized access. The attacks involve sending malicious requests to specific URI paths that are part of proof-of-concept exploits. This activity is significant because successful exploitation can lead to complete server compromise, allowing attackers to steal sensitive data, disrupt printing services, and potentially pivot to other systems within the network. This detection is based on identifying web traffic patterns indicative of exploit attempts, specifically monitoring for connections from public IP addresses to vulnerable URI paths.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible PaperCut NG server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP GET request to the PaperCut NG server targeting a vulnerable URI path, such as \u003ccode\u003e/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\u003c/code\u003e or \u003ccode\u003e/app?service=direct/1/PrinterList/selectPrinter\u0026amp;sp=*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PaperCut NG server processes the malicious request.\u003c/li\u003e\n\u003cli\u003eThe vulnerability is exploited, allowing the attacker to execute arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the PaperCut NG server.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain administrative access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised server to access sensitive information, such as user data, print jobs, and configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised server as a pivot point to access other systems within the internal network, potentially leading to a wider network compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PaperCut NG vulnerabilities can have severe consequences, including unauthorized access to sensitive data, disruption of printing services, and potential compromise of the entire network. The number of affected organizations is currently unknown, but the widespread use of PaperCut NG in educational and enterprise settings suggests a significant potential impact. A successful attack could lead to data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;PaperCut NG Remote Web Access Attempt\u0026quot; Sigma rule to your SIEM to detect exploitation attempts based on URI patterns.\u003c/li\u003e\n\u003cli\u003eEnsure that PaperCut NG servers are not directly exposed to the public internet without proper security controls, such as a web application firewall (WAF).\u003c/li\u003e\n\u003cli\u003eReview and restrict access to PaperCut NG servers from external IP addresses, filtering as needed based on the \u0026quot;known_false_positives\u0026quot; guidance.\u003c/li\u003e\n\u003cli\u003eMonitor web traffic logs for connections to PaperCut NG servers from unexpected public IP addresses to identify potential exploitation attempts, using the provided detection rule and Suricata data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the extent of the compromise and take appropriate remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-papercut-ng-exploitation/","summary":"This analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers by identifying connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities.","title":"PaperCut NG Remote Web Access Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-papercut-ng-exploitation/"}],"language":"en","title":"CraftedSignal Threat Feed - PaperCut NG","version":"https://jsonfeed.org/version/1.1"}