Critical Linux CUPS Flaws Could Lead to Remote Command Execution

By Fara Hain, CMO | Published: September 30, 2024

TL;DR

CUPS (Common UNIX Printing System) versions ≤2.0.1 are vulnerable to a chain of flaws (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that can be chained for remote unauthenticated code execution. No patch is available as of publication. Disabling CUPS or blocking remote access to UDP port 631 is the best mitigation.

What Happened? Anatomy of the CUPS Remote Command Execution

Security researcher Simone Margaritelli discovered that an unauthenticated attacker can modify or add CUPS printers with malicious URLs, leading to arbitrary command execution when a print job is initiated. If the cups-browsed daemon is enabled (listening on UDP port 631), remote connections can set up new printers. By advertising a malicious PostScript Printer Description (PPD) to an exposed cups-browsed service, a remote attacker can cause the system to install a malicious printer. When a user prints to it, the embedded command executes locally.

These vulnerabilities do not affect systems in their default configuration, but exposed UDP port 631 increases risk.

“From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited.” — CUPS project contributor (via Margaritelli’s blog)

Background: What is CUPS?

CUPS is the default printing system for Linux and is widely supported on Unix-like operating systems (e.g., FreeBSD, NetBSD, OpenBSD). It provides local and network printing capabilities and is a critical component in many enterprise environments.

What CUPS Vulnerabilities Were Found?

  • CVE-2024-47076 (libcupsfilters)
  • CVE-2024-47175 (libppd)
  • CVE-2024-47176 (cups-browsed)
  • CVE-2024-47177 (cups-filters)

These vulnerabilities allow remote code execution on systems exposing CUPS over UDP (typically port 631). Attackers can exploit these flaws to gain control of affected machines.

What Can IONIX Customers Do?

  1. Check the Threat Center tab in the IONIX portal for impacted assets.
  2. IONIX scans for open port 631 (TCP) with IPP protocol to identify potentially affected assets.
  3. Threat Center items are created for each finding; click the impacted asset count to view details.
  4. Follow recommended actions to block UDP ports and close public IPP services.

How IONIX Solves Customer Pain Points Related to CUPS Vulnerabilities

  • Complete Asset Discovery: IONIX's ML-based Connective Intelligence discovers all internet-facing assets, including shadow IT and exposed services like CUPS, reducing blind spots.
  • Continuous Monitoring: Automated scans detect new exposures as your environment changes, ensuring vulnerabilities like CUPS RCE are quickly surfaced.
  • Risk Prioritization: Threat Exposure Radar helps you focus on the most critical vulnerabilities, such as remote code execution risks.
  • Streamlined Remediation: Actionable workflows and integrations (e.g., Jira, ServiceNow) enable rapid response and ticketing for exposed assets.

Competitive Advantages

  • Fewer False Positives: IONIX's advanced algorithms reduce alert fatigue, so you only act on real threats.
  • Fast Time-to-Value: Deploys in about a week, with minimal resources required.
  • Comprehensive Coverage: Maps your digital supply chain and attack surface to the nth degree, ensuring no critical exposure is missed.

Customer Success Story

E.ON used IONIX to continuously discover and inventory internet-facing assets, improving risk management and response to vulnerabilities like CUPS RCE. Read the full case study.

FAQ: IONIX Value in Addressing CUPS Vulnerabilities

How does IONIX help identify CUPS vulnerabilities?
IONIX scans for open IPP ports and flags assets with potential CUPS exposure in the Threat Center, enabling rapid identification and remediation.
What makes IONIX different from other ASM solutions?
IONIX uses ML-based discovery for more complete asset coverage and fewer false positives, and integrates with your existing workflows for faster remediation.
How quickly can IONIX be deployed to address urgent threats?
IONIX can be deployed in about a week, requiring minimal resources, so you can start mitigating risks like CUPS RCE almost immediately.
What support does IONIX provide during incidents?
Customers receive dedicated account management, technical support, and regular review meetings to ensure smooth operation and rapid response to vulnerabilities.
Is IONIX compliant with security standards?
Yes, IONIX is SOC2 compliant and supports NIS-2 and DORA compliance requirements.

References

See IONIX in Action

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

Watch IONIX in Action
Go back to All Blog posts

Critical Linux CUPS Flaws Could Lead to Remote Command Execution  

Fara Hain
Fara Hain CMO LinkedIn
September 30, 2024
Announcement of a zero-day vulnerability update concerning CUPS vulnerabilities affecting Linux and Unix systems, which can lead to remote code execution.

TL:DR

CUPS is a suite of programs and daemons that provide local and network printing capabilities on Unix-like systems such as Linux and macOS. Versions before and including 2.0.1 are vulnerable to CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters), all of which can be chained together to allow remote unauthenticated code execution. At this time there is no updated version available. Disabling CUPS or blocking remote access to UDP port 631 are the best protective measures.  

What happened? Anatomy of the CUPS Remote Command Execution  

Over the weekend, a security researcher Simone Margaritelli discovered a security flaw that enables an unauthenticated remote attacker to covertly modify the IPP URLs of existing CUPS printers (or add new ones) to a malicious URL. This change can lead to the execution of arbitrary commands on the computer whenever a print job is initiated from it. 

If the cups-browsed daemon is enabled (which is not common on most systems), it listens on UDP port 631 and, by default, permits remote connections from any network device to set up a new printer. 

By creating a malicious PostScript Printer Description (PPD) printer and manually advertising it to the exposed cups-browsed service running on UDP port 631, the  

remote machine automatically installs the malicious printer, making it available for use. If a user on that exposed server prints to this newly installed printer, the malicious command embedded in the PPD will be executed locally on their computer. 

Tracked as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) – these security flaws don’t affect systems in their default configuration. 

According to Margaritelli’s blog post, quoting someone directly involved in the CUPS project: “From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited.” 

Background: What is CUPS (Common UNIX Printing System)? 

CUPS (Common UNIX Printing System) is the most commonly used printing system on Linux systems, and it is also generally supported on devices running Unix-like operating systems such as FreeBSD, NetBSD, and OpenBSD and their derivates. 

What CUPS vulnerabilities were found? 

Critical Linux CUPS Printing System Flaws Could Lead to Remote Command Execution 

CUPS (Common UNIX Printing System) is a standards-based, open-source printing system. Recent several vulnerabilities CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) were discovered and are potentially allowing hackers to remotely run code on machines that expose the service over UDP (usually, on port 631). 

What are the recommended actions if you use CUPS? 

It is recommended to block ports for UDP. It is a good practice to avoid open IPP services also over UDP. 

As checking for affected UDP open services triggers a connection from the vulnerable machine to the attacking system, and relying on the fact that most of the detected vulnerable systems over UDP had open IPP service over TCP on the same port, IONIX marks assets as potentially affected based on services with open IPP ports (TCP). Notice, that having IPP service publicly open is also not not a good practice, and we recommend to close it as well. 

What can IONIX customers do? 

IONIX Customers should check their potentially impacted assets in the Threat Center tab of the portal. We took the following actions to help customers analyze their CUPS exposure:
 

  1. We scanned customers with port 631 (tcp) open and IPP protocol. Having the combination of both is a good indication that customers are potentially impacted 
  1. In cases where we found the relevant port and protocol, we created a Threat Center item  
  1. By clicking on the number of impacted assets in the Threat Center item, customers can see the list of assets with the open port and used protocol.  
  1. It is recommended to block ports for UDP. It is a good practice to avoid open IPP services also over UDP. 

References: 

WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Marc Gaffan
August 11, 2025
Why Gartner Declared EASM Obsolete Before it Became Mainstream 
Learn more
Tal Zamir
August 7, 2025
CVE‑2025‑54253 & CVE‑2025‑54254 in Adobe Experience Manager Forms – What You Must Know
Learn more
Tal Zamir
August 5, 2025
Remote DNS Manipulation at Scale: How IONIX Uncovered 20,000 Malicious Subdomains from a Single Abused NS Record 
Learn more