The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the PaperCut NG/MF print management software to its Known Exploited Vulnerabilities (KEV) catalog. The decision comes in light of confirmed reports of active exploitation in real-world environments.
The flaw, identified as CVE-2023-2533 and carrying a CVSS score of 8.4, is a cross-site request forgery (CSRF) vulnerability that can potentially lead to remote code execution. “PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code,” CISA said in a security bulletin.
PaperCut NG/MF is widely deployed across educational institutions, businesses, and government entities for managing and securing print infrastructure. The vulnerability primarily affects the software’s administrative console, which often runs on internal web servers. If compromised, it could provide attackers with an initial entry point into larger IT systems, especially if left unpatched.
In a typical exploitation scenario, an attacker could target an administrator actively logged into the system, tricking them into clicking on a maliciously crafted link. This could lead to unauthorized actions being carried out without the user’s consent or knowledge.
While there are no public proof-of-concept exploits available at present, CISA warns that the threat remains significant. The software has previously been leveraged by state-sponsored actors, including those affiliated with Iran, as well as by cybercriminal groups such as Bl00dy, Cl0p, and LockBit for ransomware deployment and lateral movement.
Security professionals are advised to act quickly. In addition to applying the latest patches, organizations should enhance protection by enforcing strong CSRF token mechanisms, limiting admin panel access to trusted IP ranges, and reviewing session timeout policies.
Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are mandated to patch affected instances by August 18, 2025.
Administrators are also encouraged to consult MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1071 (Application Layer Protocol) to fine-tune detection rules and strengthen long-term defenses against similar exploitation vectors.
 has added a critical vulnerability affecting the PaperCut NG/MF print man...){kind=link}