Cybersecurity authorities at CISA have just added a serious flaw in PaperCut NG/MF print management software to their Known Exploited Vulnerabilities Catalog, marking it as actively exploited. This vulnerability, tracked as CVE-2023-2533, is a cross-site request forgery issue that attackers are currently using to target organizations globally. CISA officially listed this vulnerability on July 28, 2025, and gave federal agencies a deadline of August 18, 2025, to fix it under their mandatory security directive.
This CSRF vulnerability has a high severity, with a CVSS score around 8.4–8.8 depending on the assessment. It allows attackers to trick an authenticated administrator into executing harmful actions, like changing security settings or running malicious code, just by clicking a specially crafted link. Because PaperCut usually runs on internal servers with administrative access, this flaw could allow attackers to dig deeper into the organization’s network.
PaperCut NG and MF software are used by more than 70,000 organizations globally. These platforms manage print infrastructure across schools, businesses, hospitals, and government departments. Since the software sits deep within internal networks, a single exploited flaw can potentially give attackers access to highly sensitive systems.
The way this flaw is being exploited is surprisingly simple. An attacker might send a phishing email or build a malicious webpage. If an admin who’s already logged into PaperCut’s interface clicks on the link, the vulnerability can be triggered automatically in the background. This allows the attacker to hijack that admin session and make unauthorized changes on the server.
So far, there’s no direct confirmation that this specific CSRF flaw has been used in ransomware attacks. But earlier PaperCut vulnerabilities have definitely been used by major ransomware groups like LockBit, Cl0p, and Bl00dy, as well as by state-sponsored threat actors. These groups have previously used remote code execution flaws in PaperCut to gain entry and launch attacks across entire networks.
Now that CISA has added this CSRF issue to its KEV Catalog, federal agencies are legally required to fix it by August 18. Private companies and educational institutions are also strongly advised to update their systems immediately. This is a clear sign that the flaw is dangerous, being actively exploited, and can no longer be ignored.
To stay protected, organizations should install the official patch released in June 2023, which completely fixes this vulnerability. On top of that, PaperCut administrators should restrict access to the web admin console, allow only trusted IPs, use strong login credentials, and closely monitor any strange behavior in admin activity logs.
Another key protection tip is network segmentation. Print servers often live in the most trusted parts of the network. By isolating them, the risk of lateral movement in case of a breach can be greatly reduced. IT teams should also scan their networks for any outdated or exposed PaperCut servers that may still be vulnerable.
This whole situation serves as a strong reminder that even simple bugs like CSRF can quickly lead to serious attacks if ignored. Because PaperCut plays such an important role inside networks, any exploit here could become a launching point for larger compromises.
In short, CVE-2023-2533 is not just another technical glitch. It’s a real-world threat in widely used software, now under active exploitation. If your organization uses PaperCut NG or MF, it’s time to patch, review your configurations, and strengthen access controls, before attackers take advantage.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
