Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Unrated

SYSTEM Privilege Escalation in PaperCut Print Deploy Client for Windows via Unqualified Path Search

IdentifiersCVE-2026-6645CWE-426

CVE-2026-6645 is an insecure process execution vulnerability in the pc-printer-updater.exe component of the PaperCut Print Deploy Client for Windows. The vulnerable component, which typically runs with elevated Windows privileges up to SYSTEM, performs an internal validation step by launching a secondary system utility using an unqualified executable name rather than an absolute path. As a result, Windows resolves the target binary according to its normal executable search order. If a local attacker can place a malicious executable with the expected name in a directory that is searched before the legitimate utility, the updater may execute the attacker-controlled binary instead of the intended system utility. This is a classic untrusted search path / path hijacking condition that can be leveraged for local privilege escalation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution in the security context of the vulnerable PaperCut component, which is described as operating with high-level privileges and can result in execution as SYSTEM. This enables full local compromise of the affected Windows host, including privilege escalation from a lower-privileged account, installation of persistent malware, tampering with system configuration, credential theft, disabling security controls, and broader post-exploitation activity.

Mitigation

If you can’t patch tonight, do this now.

No official workaround is provided in the supplied content. As interim mitigation, restrict write access for non-administrative users to directories that may be consulted during executable resolution, including PATH-accessible locations and any application-controlled working directories involved in process launch. Review and harden environment and filesystem permissions to prevent unprivileged users from planting binaries in searched locations. Monitor for suspicious executables masquerading as expected system utilities and for anomalous child-process creation by pc-printer-updater.exe.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fix or update for the PaperCut Print Deploy Client for Windows when available. The proper remediation is to modify pc-printer-updater.exe so that any invoked system utility is referenced by a fully qualified absolute path rather than relying on Windows search-path resolution. Standard secure process creation practices should also be followed, including avoiding ambiguous executable names and validating the exact binary being launched.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
PaperCut SoftwarePrint Deploy Clientapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

8 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-6645
NVD
nvd.nist.gov/vuln/detail/CVE-2026-6645
MITRE CWE · CWE-426
cwe.mitre.org