The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-strength security vulnerability affecting PaperCutng/MF print management software to its known exploitation of exploitation in the wild, citing evidence of aggressive exploitation.
The vulnerability tracked as CVE-2023-2533 (CVSS score: 8.4) is a cross-site request forgery (CSRF) bug that could lead to remote code execution.
“PaperCut Ng/MF contains a cross-site request forgery (CSRF) vulnerability that could allow an attacker to change security settings or execute arbitrary code under certain conditions,” CISA said in a warning.
PaperCut NG/MF is commonly used by schools, businesses and government agencies to manage print jobs and control network printers. Because the management console is typically run on an internal web server, the vulnerabilities exploited here could easily give an attacker a foothold on a wider system if the oversight is overlooked.
In a potential attack scenario, threat actors can leverage the flaws to target administrator users in their current login sessions, deceive them, and click on specially created links that lead to unauthorized changes.
Currently, we don’t know how vulnerabilities are being exploited in real attacks. However, given that the drawback of software solutions is that they are being abused by Iranian nation-state actors and e-Crime groups such as BL00DY, CL0P and Lockbit ransomware, it is essential that the user applies the necessary updates, if not yet necessary, for initial access.
At the time of writing, public proof of concept is not available, but attackers can exploit the bug via phishing emails or malicious sites that trick a logged in administrator to trigger requests. Mitigation requires more than patching. Organisations should check session timeouts, limit administrative access to known IPs, and perform strong CSRF token validation.
A Federal Civil Enforcement Division (FCEB) agency is required to update the instance to a patch version by August 18, 2025 in accordance with Binding Operations Directive (BOD) 22-01.
Administrators need to cross-check Miter ATT & CK techniques such as the T1190 (publicly published applications) and T1071 (application layer protocol) to adjust detection rules. For a wider context, tracking paper cut incidents related to ransomware entry points or initial access vectors can help shape long-term hardening strategies.
