Skip to content

State-sponsored attacks are exploiting PaperCut vulnerabilities: Microsoft

  • by
  • 2 min read

Iranian state-sponsored hacking groups Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) are now weaponising CVE-2023-27350 in the Papercut print management software to gain initial access. Mango Sandstorm has been linked with Iran’s Ministry of Intelligence and Security (MOIS) while Mint Sandstorm is reportedly associated with the Islamic Revolutionary Guard Corps (IRGC).

In a series of tweets, Microsoft has revealed that the state-sponsored group Mango Sandstorm is exploiting the vulnerability and using tools from “prior intrusions to connect to their C2 infrastructure”.  The report comes just a few weeks after Microsoft reported that groups like Lace Tempest, which overlaps with other hacking groups including FIN11, TA505 and Evil Corp are abusing the vulnerability to deliver Clop and LockBit ransomware strains. 

The vulnerabilities in question are as follows.

  • CVE-2023–27350 (CVSS score 9.8): Remote code execution flaw affecting Papercut MF or NG versions 8.0 or later on all OS platforms including application and site servers. 
  • CVE-2023–27351 (CVSS score 8.2): Unauthenticated information disclosure flaw affecting Papercut MF or NG versions 15.0 or later on all OS platforms including application and site servers. 

Papercut has already fixed the flaw in a patch released on March 8, 2023. At the moment, users of the affected program should update to versions 20.1.7, 21.2.11 and 22.0.9 or later. Additionally, Trend Micro’s Zero Day initiative, which discovered and reported the issue to Papercut in the first place is expected to release more information on the issue on May 10, 2023. 

After the public POCs for the vulnerabilities were published, both groups quickly shifted tactics and adapted the exploit in their operations to gain initial access. Microsoft says that this exploitation activity by Mint Sandstorm appears ‘opportunistic’, affecting organisations across sectors and geographies. On the other hand, while exploitation activity by Mango Sandstorm remains low, they’re still using it to breach unsuspecting networks. 

In the News: DAZN and beIN back global task force to combat sports piracy

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: