CVE-2023-27351 Sumo Logic CSE · Sumo

Detect CVE-2023-27351 - PaperCut NG/MF Improper Authentication Exploitation in Sumo Logic CSE

Detects exploitation attempts targeting CVE-2023-27351, an improper authentication vulnerability (CWE-287) in PaperCut NG/MF print management software. This CISA KEV-listed vulnerability allows unauthenticated attackers to bypass authentication controls, potentially enabling unauthorized access to the PaperCut administration interface and sensitive print management data. Threat actors have actively exploited PaperCut vulnerabilities in the wild for initial access and lateral movement.

MITRE ATT&CK

Tactic
Initial Access Persistence Privilege Escalation

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=web/iis OR _sourceCategory=web/nginx OR _sourceCategory=web/apache
| parse regex "(?P<src_ip>\d+\.\d+\.\d+\.\d+)" nodrop
| parse regex "\"(?P<method>GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS) (?P<uri_path>[^\s\"]+)" nodrop
| parse regex " (?P<status_code>\d{3}) " nodrop
| parse regex "\"(?P<user_agent>[^\"]+)\"\s*$" nodrop
| where uri_path matches "/rpc/api/json*" or uri_path matches "/app*service=*" or uri_path matches "/health-check*" or uri_path matches "/app/admin*"
| where status_code in ("200", "302")
| where method in ("POST", "GET")
| count as attempt_count by src_ip, uri_path, method, status_code
| where attempt_count >= 1
| sort by attempt_count desc
| fields src_ip, uri_path, method, status_code, attempt_count
high severity medium confidence

Detects HTTP access to PaperCut NG/MF sensitive management and RPC endpoints returning successful status codes, which may indicate CVE-2023-27351 authentication bypass exploitation.

Data Sources

IIS LogsApache/Nginx LogsSumo Logic Cloud Syslog

Required Tables

_sourceCategory=web/*

False Positives & Tuning

  • Authorized administrators accessing PaperCut management pages during business hours
  • Internal monitoring and availability checks against PaperCut web interface
  • Patch management solutions testing PaperCut endpoint availability

Other platforms for CVE-2023-27351

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2023-27351 Unauthenticated Health Check Probe

    Expected signal: HTTP GET request to /health-check and /api/health on port 9191 from test host IP, HTTP 200 response in web server logs.

  2. Test 2CVE-2023-27351 Unauthenticated RPC API Call

    Expected signal: POST request to /rpc/api/json on port 9191 with Content-Type: application/json header, HTTP 200 response with JSON body in web server logs if vulnerable.

  3. Test 3CVE-2023-27351 Admin Setup Page Access Attempt

    Expected signal: GET request to /app with query parameter service=page/SetupCompleted on port 9191, HTTP response code logged in IIS or PaperCut access logs.

  4. Test 4CVE-2023-27351 Rapid Sequential Endpoint Enumeration

    Expected signal: Multiple sequential HTTP requests to PaperCut endpoints within a short timeframe from a single source IP, visible in web server access logs with timestamps.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2023-27351 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections