The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new warning about a serious vulnerability in PaperCut NG/MF print management software that is currently being exploited in cyberattacks. The bug, tracked as CVE-2023-2533, allows remote code execution (RCE) through cross-site request forgery (CSRF), and attackers are actively abusing it in the wild.
PaperCut is a widely-used print management solution, with over 100 million users across more than 70,000 organizations worldwide. It is often deployed in educational institutions, businesses, and government agencies to control and monitor printer usage.
The vulnerability CVE-2023-2533 was originally patched in June 2023. However, many systems remain unpatched and vulnerable. This flaw allows attackers to change security settings or run malicious code remotely — if the victim is a logged-in administrator. To succeed, attackers usually send a malicious link to trick an admin into clicking it, triggering the CSRF attack.
CISA has now added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, which is a list of security bugs actively used by hackers. All Federal Civilian Executive Branch (FCEB) agencies are required to fix this issue by August 18, 2025, as mandated by Binding Operational Directive (BOD) 22-01.
Although the directive applies specifically to U.S. federal agencies, CISA is strongly recommending that all organizations, including those in the private sector, urgently patch their PaperCut servers.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
In simple terms, any organization that uses PaperCut and hasn’t applied the fix is at high risk of being hacked.
According to Shadowserver, a non-profit cybersecurity organization that monitors online threats, over 1,100 PaperCut NG and MF servers are currently exposed to the internet. While not all of these are vulnerable to CVE-2023-2533, the sheer number is worrying.
Moreover, this is not the first time PaperCut software has been targeted. In 2023, two other vulnerabilities—CVE-2023-27350 (a critical unauthenticated RCE flaw) and CVE-2023-27351 (a high-severity information disclosure bug)—were exploited by ransomware groups to breach organizations.
In April 2023, Microsoft linked attacks exploiting PaperCut to well-known ransomware gangs LockBit and Clop, who used their access to steal sensitive company data.
Later that month, Microsoft also confirmed that state-sponsored hackers from Iran, known as MuddyWater and APT35, had begun targeting PaperCut systems as well. These attackers specifically exploited the software’s Print Archiving feature, which stores all documents processed through the system, making it an attractive target for data theft.
As a result, CISA added CVE-2023-27350 to its exploited vulnerabilities catalog in April 2023, and gave federal agencies a deadline to secure their systems by May 12, 2023.
In May 2023, a joint advisory by CISA and the FBI revealed that the Bl00dy Ransomware gang had also begun using CVE-2023-27350 to breach educational institutions.
If your organization uses PaperCut NG or MF, it is critical to check whether your version is up to date. Even if you patched older vulnerabilities, this new advisory means you may still be exposed if CVE-2023-2533 is unpatched.
Recommended Actions:
Immediately update PaperCut software to the latest secure version released after June 2023.
Inform your IT team and ensure that admins are aware of the CSRF risk and are cautious with suspicious links.
Monitor your PaperCut server logs for any unusual activity.
Segment your network to reduce exposure of printing services to the internet.
Use Web Application Firewalls (WAFs) and endpoint detection tools for extra layers of defense.
The exploitation of PaperCut vulnerabilities by ransomware groups and state-backed hackers shows just how attractive these systems are to attackers. The current warning from CISA about CVE-2023-2533 makes it clear: the threat is real and happening now.
Organizations must treat this as a top-priority issue and patch immediately. Delays in applying updates can lead to data breaches, ransomware infections, and serious operational disruptions.
Interesting Article : CVE-2025-24000, Post SMTP Vulnerability & Admin Takeover of WordPress Sites
Pingback: Dahua IP Cameras at Risk: CVE-2025-31700 and CVE-2025-31701