Threat actors are actively exploiting unpatched versions of print management software PaperCut, targeting the education sector, the FBI and Cybersecurity and Infrastructure Security Agency warned Thursday in a joint advisory.
The vulnerability, CVE-2023-27350, allows a threat actor to bypass authentication and initiate remote-code execution on a PaperCut application server. PaperCut released a patch for the vulnerability in March and researchers at Huntress began observing active exploitation in mid-April.
A ransomware group identifying itself as Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the education facilities sector in early May, according to CISA and the FBI.
Education is a key market for PaperCut. The company claims more than 100 million users across 70,000 organizations globally.
A customer first reported suspicious activity on their PaperCut server to the company on April 18, PaperCut said in a security bulletin. The earliest signature of suspicious activity potentially linked to the vulnerability was identified on a customer server on April 14.
Microsoft Threat Intelligence warned more threat actors were exploiting unpatched versions of PaperCut in a tweet on May 5. Researchers tracked active exploitation to multiple threat actors Microsoft refers to as Lace Tempest, a financially motivated threat actor, and Iranian state-sponsored threat actors Mint Sandstorm and Mango Sandstorm.
The joint advisory includes detection methods and indicators of compromise, and the federal agencies advised administrators to immediately apply patches or workarounds if necessary.