CVE-2023-27351 IBM QRadar · QRadar

Detect CVE-2023-27351 - PaperCut NG/MF Improper Authentication Exploitation in IBM QRadar

Detects exploitation attempts targeting CVE-2023-27351, an improper authentication vulnerability (CWE-287) in PaperCut NG/MF print management software. This CISA KEV-listed vulnerability allows unauthenticated attackers to bypass authentication controls, potentially enabling unauthorized access to the PaperCut administration interface and sensitive print management data. Threat actors have actively exploited PaperCut vulnerabilities in the wild for initial access and lateral movement.

MITRE ATT&CK

Tactic
Initial Access Persistence Privilege Escalation

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  destinationip,
  destinationport,
  URL,
  username,
  "HTTP Method",
  "HTTP Response Code",
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  COUNT(*) AS attempt_count
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft IIS', 'Apache HTTP Server', 'Nginx')
  AND destinationport IN (9191, 9192)
  AND (
    URL ILIKE '%/rpc/api/json%'
    OR URL ILIKE '%/app?service=%'
    OR URL ILIKE '%/health-check%'
    OR URL ILIKE '%/app/admin%'
  )
  AND "HTTP Response Code" IN (200, 302)
  AND (username IS NULL OR username = '' OR username ILIKE '%anonymous%')
  AND starttime > NOW() - 1 HOURS
GROUP BY sourceip, destinationip, destinationport, URL, username, "HTTP Method", "HTTP Response Code"
HAVING attempt_count >= 1
ORDER BY attempt_count DESC
LAST 60 MINUTES
high severity medium confidence

Identifies unauthenticated or anonymously-authenticated HTTP requests to PaperCut NG/MF management endpoints on standard PaperCut ports, consistent with CVE-2023-27351 exploitation.

Data Sources

Microsoft IIS Logs via QRadar DSMApache/Nginx Web LogsQRadar Network Activity

Required Tables

events

False Positives & Tuning

  • Monitoring agents polling PaperCut health endpoints without sending credentials
  • Authorized users whose username field is not populated in the log source
  • Network scanners or asset discovery tools probing open ports

Other platforms for CVE-2023-27351

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2023-27351 Unauthenticated Health Check Probe

    Expected signal: HTTP GET request to /health-check and /api/health on port 9191 from test host IP, HTTP 200 response in web server logs.

  2. Test 2CVE-2023-27351 Unauthenticated RPC API Call

    Expected signal: POST request to /rpc/api/json on port 9191 with Content-Type: application/json header, HTTP 200 response with JSON body in web server logs if vulnerable.

  3. Test 3CVE-2023-27351 Admin Setup Page Access Attempt

    Expected signal: GET request to /app with query parameter service=page/SetupCompleted on port 9191, HTTP response code logged in IIS or PaperCut access logs.

  4. Test 4CVE-2023-27351 Rapid Sequential Endpoint Enumeration

    Expected signal: Multiple sequential HTTP requests to PaperCut endpoints within a short timeframe from a single source IP, visible in web server access logs with timestamps.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2023-27351 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections