<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PaperCut NG - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/papercut-ng/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 05 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/papercut-ng/feed.xml" rel="self" type="application/rss+xml"/><item><title>Multiple Vulnerabilities in PaperCut Allow Data Confidentiality Breach and Security Policy Bypass</title><link>https://feed.craftedsignal.io/briefs/2026-05-papercut-vulns/</link><pubDate>Tue, 05 May 2026 00:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-05-papercut-vulns/</guid><description>Multiple vulnerabilities in PaperCut Embedded App versions prior to 2.2.0 on Ricoh devices and PaperCut NG/MF versions prior to 25.0.11 allow attackers to compromise data confidentiality and bypass security policies, potentially leading to unauthorized access and control.</description><content:encoded><![CDATA[<p>Multiple vulnerabilities have been identified in PaperCut, a print management software, posing significant risks to data confidentiality and security policy enforcement. Specifically, PaperCut Embedded App versions prior to 2.2.0 on Ricoh devices and PaperCut NG/MF versions prior to 25.0.11 are affected. Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to sensitive data, bypass security controls, and potentially compromise the entire print management system. The vulnerabilities were disclosed in a PaperCut security bulletin released on May 5, 2026. Defenders should apply the vendor-provided patches to mitigate these risks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a vulnerable PaperCut NG/MF server or PaperCut Embedded App on a Ricoh device.</li>
<li>The attacker exploits CVE-2026-6180, CVE-2026-6418 or CVE-2026-7824 to gain unauthorized access.</li>
<li>Upon successful exploitation, the attacker bypasses authentication mechanisms.</li>
<li>The attacker gains access to sensitive print job data, including documents and user information.</li>
<li>The attacker modifies security policies to escalate privileges.</li>
<li>The attacker gains control over print queues and system configurations.</li>
<li>The attacker can intercept, modify, or delete print jobs.</li>
<li>The attacker exfiltrates sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of these vulnerabilities could lead to a significant breach of data confidentiality, allowing attackers to access sensitive documents and user information. The bypassing of security policies could lead to unauthorized access and control over the print management system. This could result in the compromise of sensitive data, disruption of printing services, and potential reputational damage for organizations using vulnerable versions of PaperCut.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade PaperCut NG/MF to version 25.0.11 or later to patch the identified vulnerabilities, as referenced in the PaperCut security bulletin.</li>
<li>Upgrade PaperCut Embedded App on Ricoh devices to version 2.2.0 or later.</li>
<li>Monitor web server logs for suspicious activity targeting PaperCut servers, focusing on HTTP requests associated with the exploitation of CVE-2026-6180, CVE-2026-6418, and CVE-2026-7824.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>papercut</category><category>data-breach</category><category>security-bypass</category></item><item><title>PaperCut NG Remote Web Access Attempt Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-papercut-ng-exploitation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-papercut-ng-exploitation/</guid><description>This analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers by identifying connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting exploitation attempts against PaperCut NG servers, a print management software solution widely used in educational and enterprise environments. Publicly accessible PaperCut NG servers are being targeted by attackers leveraging known vulnerabilities to gain unauthorized access. The attacks involve sending malicious requests to specific URI paths that are part of proof-of-concept exploits. This activity is significant because successful exploitation can lead to complete server compromise, allowing attackers to steal sensitive data, disrupt printing services, and potentially pivot to other systems within the network. This detection is based on identifying web traffic patterns indicative of exploit attempts, specifically monitoring for connections from public IP addresses to vulnerable URI paths.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a publicly accessible PaperCut NG server.</li>
<li>The attacker sends a crafted HTTP GET request to the PaperCut NG server targeting a vulnerable URI path, such as <code>/app?service=direct/1/PrinterDetails/printerOptionsTab.tab</code> or <code>/app?service=direct/1/PrinterList/selectPrinter&amp;sp=*</code>.</li>
<li>The PaperCut NG server processes the malicious request.</li>
<li>The vulnerability is exploited, allowing the attacker to execute arbitrary code on the server.</li>
<li>The attacker gains a foothold on the PaperCut NG server.</li>
<li>The attacker elevates privileges to gain administrative access.</li>
<li>The attacker uses the compromised server to access sensitive information, such as user data, print jobs, and configuration files.</li>
<li>The attacker may use the compromised server as a pivot point to access other systems within the internal network, potentially leading to a wider network compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of PaperCut NG vulnerabilities can have severe consequences, including unauthorized access to sensitive data, disruption of printing services, and potential compromise of the entire network. The number of affected organizations is currently unknown, but the widespread use of PaperCut NG in educational and enterprise settings suggests a significant potential impact. A successful attack could lead to data breaches, financial losses, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;PaperCut NG Remote Web Access Attempt&quot; Sigma rule to your SIEM to detect exploitation attempts based on URI patterns.</li>
<li>Ensure that PaperCut NG servers are not directly exposed to the public internet without proper security controls, such as a web application firewall (WAF).</li>
<li>Review and restrict access to PaperCut NG servers from external IP addresses, filtering as needed based on the &quot;known_false_positives&quot; guidance.</li>
<li>Monitor web traffic logs for connections to PaperCut NG servers from unexpected public IP addresses to identify potential exploitation attempts, using the provided detection rule and Suricata data.</li>
<li>Investigate any alerts generated by the Sigma rule to determine the extent of the compromise and take appropriate remediation steps.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>papercut</category><category>vulnerability</category><category>webserver</category></item></channel></rss>