CVE-2025-9785 identifies a vulnerability in PaperCut Print Deploy, an optional component designed to simplify printer deployment and management within PaperCut NG/MF environments. The root cause is improper certificate validation (CWE-295) when self-signed certificates are used without fully configuring client trust stores. Specifically, if the system is configured to use self-signed certificates but the clients do not have the corresponding CA or self-signed certificates imported into their operating system trust stores and Java key stores, the SSL/TLS communication channel between clients and the Print Deploy server becomes susceptible to man-in-the-middle (MITM) attacks. This vulnerability is aggravated by incomplete or insufficient documentation guiding administrators on proper SSL configuration, increasing the likelihood of misconfiguration. The CVSS 4.0 base score is 7.7 (high severity), reflecting the vulnerability's potential to compromise confidentiality, integrity, and availability without requiring user interaction or authentication. While no public exploits have been reported, the vulnerability poses a significant risk in environments where self-signed certificates are used incorrectly. PaperCut strongly advises the use of valid certificates issued by trusted certificate authorities and following updated documentation to ensure correct SSL setup. For those using private CAs or self-signed certificates, it is critical to import the CA certificate or self-signed certificate into both the operating system trust store and the Java key store to prevent MITM attacks.

The vulnerability allows attackers positioned on the network path between clients and the Print Deploy server to perform man-in-the-middle attacks, potentially intercepting, modifying, or injecting malicious data into print deployment communications. This can lead to unauthorized access to sensitive print job information, disruption of printer deployment processes, or manipulation of printer configurations. For organizations, this undermines the confidentiality and integrity of print management operations and could cause denial of service or operational disruptions. Given that Print Deploy is used in enterprise environments to streamline printer management, exploitation could impact large numbers of users and devices, leading to operational inefficiencies and potential data leakage. The lack of authentication and user interaction requirements lowers the barrier for exploitation in vulnerable configurations. Although no known exploits are currently in the wild, the risk remains significant, especially in environments relying on self-signed certificates without proper trust store configuration.

1. Replace self-signed certificates with valid certificates issued by trusted Certificate Authorities (CAs) wherever possible to ensure robust SSL/TLS validation. 2. If self-signed or private CA certificates must be used, ensure that the corresponding CA or self-signed certificates are explicitly imported into the operating system trust store and the Java key store on all client machines to establish trust. 3. Follow the updated PaperCut Print Deploy SSL configuration documentation meticulously to avoid misconfiguration. 4. Conduct regular audits of SSL/TLS configurations in Print Deploy environments to verify that trust stores are correctly populated and that no insecure fallback mechanisms are in place. 5. Monitor network traffic for unusual patterns that could indicate MITM attempts, especially in environments using self-signed certificates. 6. Educate system administrators about the risks of improper certificate validation and the importance of maintaining updated and accurate SSL configurations. 7. Implement network segmentation and use VPNs or other secure channels to reduce exposure of Print Deploy communications to untrusted networks. 8. Stay updated with PaperCut advisories and apply patches or updates promptly when available.