CVE-2023-2533 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2023-06-20

Added to CISA KEV: 2025-07-28 769 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately upgrade PaperCut NG/MF to version 22.1.1 or later
Implement network segmentation to limit admin interface exposure
Train administrators on phishing awareness and suspicious link identification
Monitor for unauthorized configuration changes and new user accounts
Consider implementing additional CSRF protections and multi-factor authentication
Patch priority: HIGH due to CISA KEV listing and RCE potential

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2023-2533 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability affecting PaperCut NG and MF print management software ^[1].

Active Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability is confirmed to be exploited in the wild. CISA added CVE-2023-2533 to its Known Exploited Vulnerabilities (KEV) catalog in July 2025, signaling active exploitation ^[5] ^[3].
Threat Actor Attribution: As of mid-2025, CISA has not publicly attributed the exploitation of this specific vulnerability to any named threat actor or specific ransomware group ^[2] ^[3].

Attack Method and Requirements

Method: The vulnerability is a CSRF flaw that can be leveraged to alter security settings or execute arbitrary code ^[1].
Requirements:

* User Interaction: Successful exploitation typically requires an administrator with an active, authenticated login session to be deceived into clicking a specially crafted, malicious link or interacting with an embedded exploit ^[1] ^[2]. * Network Access: While the exploit is triggered via a link, the target PaperCut server must be reachable by the administrator's browser.

Ransomware and Targeted Attacks

While PaperCut servers have been targeted by ransomware gangs in the past (notably via other vulnerabilities like CVE-2023-27350), there is currently no direct evidence linking CVE-2023-2533 specifically to ransomware campaigns ^[4] ^[2]. However, the vulnerability's inclusion in the KEV catalog indicates it is considered a serious risk for potential lateral movement and data exfiltration ^[2].

Impact

Successful exploitation allows an attacker to perform unauthorized actions within the PaperCut application, including altering security configurations or achieving remote code execution (RCE) on the underlying server ^[1] ^[6].

Affected Versions and Mitigation

Status: Organizations are urged to apply the patches provided by PaperCut. Federal agencies in the U.S. were required to identify and patch vulnerable deployments by August 18, 2025, per CISA's Binding Operational Directive (BOD) 22-01 ^[3]. Users should consult the official PaperCut security advisory for the specific patched versions.

Sources

NVD - CVE-2023-2533
CVE-2023-2533 Detail. Description. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin w…
CISA Warns of Ongoing Exploits Targeting PaperCut RCE...
While not all may be vulnerable to CVE-2023-2533 specifically, their internet-facing status increases the risk of exploitation. The current attacks appear to focus on tricking logged-in admins using malicious links or embedded exploits to trigger the RCE flaw. CISA has not yet released detailed indi…
Organizations Warned of Exploited PaperCut Flaw - SecurityWeek
Vulnerabilities Organizations Warned of Exploited PaperCut Flaw Threat actors are exploiting a two-year-old vulnerability in PaperCut that allows them to execute arbitrary code remotely. ... Threat actors are exploiting a two-year-old vulnerability in PaperCut that allows them to execute arbitrary c…
CISA flags PaperCut RCE bug as exploited in attacks, patch now
PaperCut MF online exposure (Shadowserver). PaperCut flaws exploited by ransomware gangs. Although CISA has no evidence that CVE-2023-2533 is being targeted in ransomware attacks, PaperCut servers have been previously breached by ransomware gangs in 2023 by exploiting a critical, unauthenticated rem…
CVE-2023-2533 - Overview, Insights & Trends
Get the latest on CVE-2023-2533, including risk score and recommendations. Vulnerability intelligence on trending CVEs from multiple sources.Exploitation typically involves deceiving an administrator with an active login session into clicking a specially crafted, malicious link, potentially leading…
CISA flags PaperCut RCE bug as exploited in attacks, patch now
CISA warns that threat actors are exploiting a high-severity vulnerability in PaperCut NG/MF print management software, which can allow them to gain remote code execution in cross-site request forgery (CSRF) attacks. The software developer says that more than 100 million users use its products acros…

🟢 CVE-2023-2533