# cups\_browsed\_external\_internal **Explanation** This event is triggered by Netography's Fusion Portal when it detects traffic on UDP port 631 entering your network. This traffic indicates that there are very likely one or more CUPS printer servers exposed to the Internet. Inbound traffic on UDP/631 is associated with CVE-2024-47176 which is part of a longer exploit chain that could lead to Remote Code Execution (RCE) by an attacker. The event does not necessarily mean that your CUPS servers have been exploited, or are even vulnerable, but you should strongly consider blocking inbound UDP port 631 at the firewall. **What to Look For** The exploit chain starting with CVE-2024-47176 works by forcing your CUPS server to request printer details from an attacker controlled Internet Printing Protocol (IPP) server, and then creating a malicious PostScript Printer Description (PPD) file on the victim machine; RCE is not achieved until that PPD file is used to print a document. Once outside access on UDP/631 is restricted, you should start by checking the victim server for unfamiliar printers and reviewing outbound connections closely after this event. **Related MITRE ATT\&CK Categories** [Initial Access, Persistence: External Remote Services, Technique T1133 - Enterprise](https://attack.mitre.org/techniques/T1133) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/cups_browsed_external_internal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.