PaperCut NG/MF Security Bulletin (May 2025)

Executive Summary This bulletin provides an update regarding CVE-2024-8404, initially detailed in our May 2024 Security Bulletin . A new trigger path for this known issue was identified. This issue only applies to Web Print on a Windows server. If administrators have used a single device/server for hosting PaperCut NG/MF and Web Print and granted different levels of local login access to the same device, action is strongly recommended. The solution involves a quick configuration adjustment that can be implemented without any system downtime, eliminating the need for a full product upgrade at this time. Background PaperCut, in collaboration with Trend Micro, has identified a new trigger path associated with CVE-2024-8404. To address this, we have provided two remediation methods: a straightforward configuration change for existing PaperCut NG/MF installations and an automatic application of this configuration for new installations of PaperCut MF/NG version 24.1.7 and later. Who is impacted This vulnerability may apply to your Windows PaperCut NG/MF server if - You are hosting PaperCut NG/MF and Web Print on the same device You are using the shared directory web-print-hot-folder This issue does not apply to Linux/Mac OS servers. Steps to resolve For Existing Web Print Setups: To ensure protection against this specific issue, change the permissions associated with Web Print’s Hot Folder. We’ve provided a detailed guide here . If you’ve got a shared web-print-hot-folder directory, you should follow the instructions in the Sharing on a Windows Application Server section. For convenience the applicable instructions have been added below: On a Windows PaperCut NG/MF Application Server, you need to configure the share on the hot folder [app-path]/server/data/web-print-hot-folder/ and set up the permissions as follows: Configure NTFS Permissions: Right-click the hot folder, select Properties. Go to the Security tab. Click Edit, then Add. Add the SYSTEM account (if not already present with sufficient rights) and grant it Modify permissions. Add the webprint user (either DOMAIN\webprint or the local APP-SERVER\webprint account) and grant it Modify permissions. Ensure you select the correct location (domain or local machine) when searching for the user. Remove or restrict permissions for other groups like Users Remove Everyone if it exists. Ensure inheritance is enabled if appropriate, so these permissions apply to files created within the folder. If you are using a shared web-print-hot-folder directory, you will need to configure Sharing Permissions: Right-click the hot folder, select Properties. Go to the Sharing tab. Click Advanced Sharing. Check Share this folder. Click Permissions. Remove Everyone if it exists. Add the webprint user (domain or local, matching the one used for NTFS) and grant it Change permissions. You might add the Administrators group with Full Control for administrative purposes. Click OK to close the permissions windows. Perform basic tests of Web Print to confirm it is working as expected. For New Installations (Version 24.1.7 and later): Good news! If you’re setting up PaperCut NG/MF 24.1.7 or newer with Web Print for the first time, the necessary protection is built-in by default. No extra action is needed. Acknowledgements PaperCut would like to thank CrisprXiang & Hao Huang working with Trend Zero Day Initiative. Trend Micro and PaperCut have worked together over the last 12 months to ensure that all their research and testing of PaperCut products is responsibly disclosed and collaboratively released. FAQs Q Where can I get the upgrade? The Check for updates link in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at PaperCut NG/MF Admin interface > About > Version info > Check for updates. You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface. Alternatively, direct downloads are available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the About tab and in the footer of your PaperCut Web admin login. Q If I have an existing installation of Web Print on Windows, will the upgrade be enough to fix this issue? To ensure protection against this specific issue, users must change the permissions associated with Web Print’s Hot Folder. We’ve provided a detailed guide here in the Sharing on a Windows Application Server section. Q Do I need to apply the fix if I'm using Web Print in Sandbox mode?/ Do I need to apply the fix if I'm using Web Print in Default mode Yes. Regardless of whether you’re using Web Print on Windows in default or sanbox, the changes in the detailed guide here in the Sharing on a Windows Application Server section will need to be applied. Q Is there anything I should be aware of before applying the upgrade? No, this is a standard over the top upgrade. Q I’m running version 21.x or 22.x and due to operational reasons, I can’t upgrade to 23. Are hotfixes available for these older versions? No, but you can apply the fix documented in the guide here in the Sharing on a Windows Application Server section to ensure you are protected. Security notifications “How do I sign-up for PaperCut’s security mailing list?” In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form . If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates. Updates Date Update/action 13th May, 2025 (AEST) Published the initial Security Bulletin. 13th May, 2025 (AEST) Sent email notification to the PaperCut security notifications subscriber list. 11 June, 2025 (AEST) Improved wording.