PaperCut Print Deploy Security Bulletin (September 2025)
THE PAGE APPLIES TO:
Last updated September 29, 2025
Executive Summary
CVE-2025-9785 has been raised relating to installations of Print Deploy. Older documentation surrounding the configuration of SSL/TLS certificate validation prior to the release of Print Deploy version 1.9.2917 (prior to 7 July 2025) was lacking and it is likely that customers may have configured their Print Deploy installation insecurely despite following the documentation on enabling SSL certificate validation. This issue can be resolved with a simple configuration update.
Background
For versions of Print Deploy older than Print Deploy version 1.9.2917 (prior to 7 July 2025), we’ve found the documentation was lacking information surrounding the configuration of the SSL/TLS certificate validation. As a result it is likely that the customers may have configured their Print Deploy installation insecurely despite following the documentation on enabling the SSL certificate validation. This may potentially lead to a man-in-the-middle attack against the clients connecting to the Print Deploy servers.
Starting from Print Deploy version 1.9.2917, the documentation has been updated to address this issue. The updated documentation contains an additional step to configure the updater settings file. From Print Deploy version 1.9.2917, specifying STRICT_SSL=yes on the installer command line will apply the documented changes to the updater settings file automatically saving system administrators’ time and effort.
PaperCut NG/MF is configurable with self-signed certificates and for servers using self signed certificates, to mitigate the possibility of the man-in-the-middle attack, it is recommended to add the self-signed certificate to a system’s CA (Certificate Authority) bundle and make the operating system or specific applications trust that certificate, even though it wasn’t issued by a known CA. The exact steps vary depending on the operating system and generally go beyond PaperCut’s product documentation.
Self-signed certificates are known to be vulnerable to man-in-the-middle attacks and so CA signed certificates should be preferred. However, PaperCut recognises that in some circumstances it may be beneficial to rely on the self-signed certificates. If self-signed certificates are used, the recommended strategy for avoiding the possibility of man-in-the-middle attacks is to make sure the certificate must be added to the system’s CA (Certificate Authority) bundle. The exact steps will vary depending on the operating system.
| Issue | Notes | CVSS Rating and Vector |
|---|---|---|
| CVE-2025-9785 | PaperCut Print Deploy is an optional component that integrates with PaperCut NG/MF which simplifies printer deployment and management. When the component is deployed to an environment, the customer has an option to configure the system to use a self-signed certificate. If the customer does not fully configure the system to leverage the trust database on the clients, it opens up the communication between clients and the server to man-in-the-middle attacks. It was discovered that certain parts of the documentation related to the configuration of SSL in Print Deploy were lacking, which could potentially contribute to a misconfiguration of the Print Deploy client installation. PaperCut strongly recommends to use valid certificates to secure installations and to follow the updated documentation to ensure the correct SSL configuration. Those who use private CAs and/or self-signed certificates should make sure to copy their Certification Authority certificate, or their self signed certificate if using only one, to the trust store of their operating system and to the Java key store. | 7.7/High (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) |
Who is impacted
This vulnerability may apply to your PaperCut NG/MF server if the following apply-
- You are deploying drivers with Print Deploy
- You have set up the Print Deploy client with documentation from before Print Deploy version 1.9.2917 (prior to 7 July 2025).
Steps to resolve
To resolve this issue, please follow the updated steps to enforce certificate validation as described in our documentation: Enable strict SSL checking - Step 4: Enforce certificate validation for Print Deploy client auto-updates .
Acknowledgements
PaperCut would like to thank Tim Kornhuber, Oliver Matula, and Maximilian Platzner of DBSystel GmbH for finding and reporting this issue.
FAQs
Q Where can I get the upgrade?
While you can get the upgrade as described below, make sure that you apply the steps to resolve to ensure you are not impacted by this issue.
You can find the steps to either turn on auto-update or manually update Print-Deploy here .
Q Do I need to upgrade PaperCut NG/MF as well to fix it?
No, the fix only needs the steps described in the How to Resolve section.
Q If I have an existing installation of Print Deploy, will the upgrade be enough to fix this issue?
No, just upgrading to the fixed version does not fix the issue. You must still apply the changes listed in the Steps to Resolve section.
Q Is there anything I should be aware of before applying the upgrade?
No, this is a standard over the top upgrade.
Security notifications
“How do I sign-up for PaperCut’s security mailing list?”
In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form . If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.
Updates
Date | Update/action |
3 September, 2025 (AEST) | Published the initial Security Bulletin. |
Category: FAQ
Subcategory: Security and Privacy
Comments