PaperCut, a print management software provider, has announced that it has found evidence to suggest that unpatched servers are being exploited in the wild. This announcement comes after two vulnerability reports from cybersecurity company Trend Micro. PaperCut has conducted analysis on all customer reports and has found that the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is from April 14th 01:29 AEST / April 13th 15:29 UTC. The update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical improper access control flaw (CVE-2023-27350, CVSS score: 9.8) in PaperCut MF and NG to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. Cybersecurity company Huntress has found that there are about 1,800 publicly exposed PaperCut servers. They observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance (RMM) software like Atera and Syncro for persistent access and code execution on the infected hosts. Additional infrastructure analysis has revealed that the domain hosting the tools – windowservicecemter[.]com – was registered on April 12, 2023. This domain is also hosting malware like TrueBot, although the company has said that it did not directly detect the deployment of the downloader. TrueBot is attributed to a Russian criminal entity known as Silence, which in turn has historical links with Evil Corp and its overlapping cluster TA505. TA505 has facilitated the distribution of Cl0p ransomware in the past.