The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security vulnerability impacting PaperCutNG/MF print management software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability, tracked as CVE-2023-2533 (CVSS score: 8.4), is a cross-site request forgery (CSRF) bug that could result in remote code execution.
“PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code,” CISA said in an alert.
PaperCut NG/MF is commonly used by schools, businesses, and government offices to manage print jobs and control network printers. Because the admin console typically runs on internal web servers, an exploited vulnerability here could give attackers an easy foothold into broader systems if overlooked.
In a potential attack scenario, a threat actor could leverage the flaw to target an admin user with a current login session, and deceive them into clicking on a specially crafted link that leads to unauthorized changes.
It’s currently not known how the vulnerability is being exploited in real-world attacks. But given that shortcomings in the software solution have been abused by Iranian nation-state actors as well as e-crime groups like Bl00dy, Cl0p, and LockBit ransomware for initial access, it’s essential that users apply necessary updates, if not already.
At the time of writing, no public proof-of-concept is available, but attackers could exploit the bug through a phishing email or a malicious site that tricks a logged-in admin into triggering the request. Mitigation requires more than patching—organizations should also review session timeouts, restrict admin access to known IPs, and enforce strong CSRF token validation.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to update their instances to a patched version by August 18, 2025.
Admins should cross-check with MITRE ATT&CK techniques like T1190 (Exploit Public-Facing Application) and T1071 (Application Layer Protocol) to align detection rules. For broader context, tracking PaperCut incidents in relation to ransomware entry points or initial access vectors can help shape long-term hardening strategies.
