PaperCut NG/MF Vulnerability (CVE-2023-2533) Under Active Exploitation, Allows Remote Code Execution
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of a critical vulnerability in the widely used print management software, PaperCut NG and MF. The flaw, designated CVE-2023-2533, enables remote attackers to execute arbitrary code on the server if a system administrator is lured into clicking a specially crafted link. This attack vector is viable during an active administrator session and exploits a Cross-Site Request Forgery (CSRF) vulnerability.
PaperCut reports that its products are deployed across more than 70,000 organizations worldwide—including educational institutions, corporations, and government agencies—serving over 100 million users. Although the bug was patched in June 2023, CISA warns that the vulnerability remains under active exploitation. The agency has mandated all U.S. federal civilian agencies to remediate the flaw by August 18, in compliance with Binding Operational Directive BOD 22-01, which compels federal entities to promptly mitigate known exploited vulnerabilities.
While specific details of current attacks have not been disclosed, the cybersecurity group Shadowserver has identified over 1,100 PaperCut NG and MF servers exposed to the internet. Not all of these are necessarily vulnerable to CVE-2023-2533, but even a single unpatched instance within critical infrastructure poses a significant risk.
This is not the first time PaperCut has been thrust into the spotlight due to security issues. In early 2023, the platform’s servers became targets for ransomware groups, including LockBit and Clop. These groups exploited CVE-2023-27350, which permitted unauthenticated remote code execution, and CVE-2023-27351, a flaw that led to the leakage of sensitive information.
Microsoft confirmed the involvement of these threat actors and later reported that Iranian hackers linked to APT groups MuddyWater and APT35 had joined the fray. These attackers exploited the platform’s “print archiving” feature, which stores copies of all printed documents, granting access to potentially sensitive corporate data.
CISA added CVE-2023-27350 to its Known Exploited Vulnerabilities Catalog on April 21, 2023, and provided a three-week window for remediation. Subsequently, in collaboration with the FBI, the agency issued a joint advisory highlighting Bl00dy Ransomware attacks targeting educational institutions, where PaperCut deployments are particularly prevalent.
Against the backdrop of these widespread compromises, CISA urges not only federal agencies but also private-sector organizations to prioritize patching and securing their systems. The agency emphasizes that such vulnerabilities are staple tools in the arsenals of malicious actors and pose a tangible threat to the integrity of global digital infrastructure.
