PaperCut NG Remote Web Access Attempt

name: PaperCut NG Remote Web Access Attempt
id: 9fcb214a-dc42-4ce7-a650-f1d2cab16a6a
version: 8
date: '2026-03-27'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
    - Suricata
description: |
    The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers.
    It identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities.
    This detection leverages web traffic data from the `Web` datamodel, focusing on specific URI paths and excluding internal IP ranges.
    This activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server.
    If confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise.
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime

    from datamodel=Web WHERE

    Web.url IN (
      "*/app?service=direct/1/PrinterDetails/printerOptionsTab.tab"
      "*/app?service=direct/1/PrinterList/selectPrinter&sp=*",
      "*/app?service=page/PrinterList",
      "*/app?service=page/SetupCompleted"
    )
    NOT src IN (
                  "10.0.0.0/8",
                  "172.16.0.0/12",
                  "192.168.0.0/16",
                  "100.64.0.0/10",
                  "127.0.0.0/8",
                  "169.254.0.0/16",
                  "192.0.0.0/24",
                  "192.0.0.0/29",
                  "192.0.0.8/32",
                  "192.0.0.9/32",
                  "192.0.0.10/32",
                  "192.0.0.170/32",
                  "192.0.0.171/32",
                  "192.0.2.0/24",
                  "192.31.196.0/24",
                  "192.52.193.0/24",
                  "192.88.99.0/24",
                  "224.0.0.0/4",
                  "192.175.48.0/24",
                  "198.18.0.0/15",
                  "198.51.100.0/24",
                  "203.0.113.0/24",
                  "240.0.0.0/4",
                  "::1"
                )
    by Web.http_user_agent Web.http_method
       Web.url,Web.url_length Web.src
       Web.dest Web.dest_port

    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `papercut_ng_remote_web_access_attempt_filter`
how_to_implement: |-
    To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel.
known_false_positives: |-
    False positives may be present if you allow access to the PaperCut NG server from public IP addresses. Filter as needed.
references:
    - https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability
    - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
    - https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/
    - https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/
    - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: URIs specific to PaperCut NG have been access by a public IP $src$ against $dest$.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - PaperCut MF NG Vulnerability
    asset_type: Web Server
    atomic_guid: []
    mitre_attack_id:
        - T1190
        - T1133
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log
          source: not_applicable
          sourcetype: suricata