> For the complete documentation index, see [llms.txt](https://docs.fusion.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/cups_browsed_external_internal.md). # cups\_browsed\_external\_internal **Explanation** This event is triggered by Netography's Fusion Portal when it detects traffic on UDP port 631 entering your network. This traffic indicates that there are very likely one or more CUPS printer servers exposed to the Internet. Inbound traffic on UDP/631 is associated with CVE-2024-47176 which is part of a longer exploit chain that could lead to Remote Code Execution (RCE) by an attacker. The event does not necessarily mean that your CUPS servers have been exploited, or are even vulnerable, but you should strongly consider blocking inbound UDP port 631 at the firewall. **What to Look For** The exploit chain starting with CVE-2024-47176 works by forcing your CUPS server to request printer details from an attacker controlled Internet Printing Protocol (IPP) server, and then creating a malicious PostScript Printer Description (PPD) file on the victim machine; RCE is not achieved until that PPD file is used to print a document. Once outside access on UDP/631 is restricted, you should start by checking the victim server for unfamiliar printers and reviewing outbound connections closely after this event. **Related MITRE ATT\&CK Categories** [Initial Access, Persistence: External Remote Services, Technique T1133 - Enterprise](https://attack.mitre.org/techniques/T1133) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/cups_browsed_external_internal.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.