The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a high-severity remote code execution (RCE) vulnerability in PaperCut NG/MF software as actively exploited in real-world attacks. Organizations using the popular print management solution are now being urged to patch the flaw immediately to prevent further compromise.
PaperCut RCE Vulnerability (CVE-2023-2533) Now Actively Exploited
The vulnerability, tracked as CVE-2023-2533, was first patched in June 2023. It allows attackers to execute arbitrary code or alter security settings on a target system, specifically when an admin is already logged in and is tricked into clicking a malicious link—a classic cross-site request forgery (CSRF) scenario.
PaperCut’s software is used by more than 100 million users across 70,000 organizations globally, making it a high-value target for threat actors. On Monday, CISA added CVE-2023-2533 to its Known Exploited Vulnerabilities Catalog, invoking Binding Operational Directive (BOD) 22-01, which requires all Federal Civilian Executive Branch (FCEB) agencies to apply the patch by August 18, 2025.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA stated.
The agency also strongly recommends that private sector organizations prioritize remediation of this vulnerability without delay.
Thousands of PaperCut Servers Still Exposed Online
The Shadowserver Foundation, a non-profit security group, is currently tracking over 1,100 exposed PaperCut servers online. While not all may be vulnerable to CVE-2023-2533 specifically, their internet-facing status increases the risk of exploitation.
The current attacks appear to focus on tricking logged-in admins using malicious links or embedded exploits to trigger the RCE flaw. CISA has not yet released detailed indicators of compromise or attributed the campaign to any specific threat actor.
Previous PaperCut Flaws Were Targeted by Ransomware Gangs
This is not the first time PaperCut servers have been exploited. In 2023, ransomware operators abused two major vulnerabilities:
- CVE–2023–27350: A critical unauthenticated RCE flaw, added to CISA’s catalog in April 2023.
- CVE–2023–27351: A high-severity information disclosure bug.
In April 2023, Microsoft attributed exploitation of these flaws to ransomware groups LockBit and Clop, who used them to steal corporate data.
State-sponsored actors also entered the fray. Iranian groups APT35 and MuddyWater were found exploiting PaperCut’s Print Archiving feature to gain persistent access and siphon documents routed through affected systems.
Later, the Bl00dy Ransomware Gang leveraged CVE-2023-27350 in targeted attacks against educational institutions, according to a joint alert by CISA and the FBI.
Enterprise Organizations Urged to Patch and Review Exposure
While CISA has yet to attribute CVE-2023-2533 exploitation to ransomware activity, the agency’s inclusion of this vulnerability in its emergency catalog indicates serious concern over potential lateral movement and data exfiltration.
Organizations running PaperCut NG/MF should:
- Apply the June 2023 patch immediately.
- Audit PaperCut server exposure to the internet.
- Review logs for signs of CSRF-based exploitation.
- Educate admins on phishing risks and suspicious links.
