CISA Issues Warning on Exploited PaperCut RCE Vulnerability in Ongoing Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting PaperCut NG/MF print management software to its Known Exploited Vulnerabilities (KEV) catalog, warning that the vulnerability is being actively exploited in the wild.

The vulnerability, tracked as CVE-2023-2533, represents a significant threat to organizations using the popular print management solution.

The newly cataloged vulnerability is a cross-site request forgery (CSRF) vulnerability that affects PaperCut NG and MF print management systems. This security weakness presents several critical concerns for organizations:

• Remote Code Execution Capability: Under specific conditions, attackers can potentially execute arbitrary code on affected systems, giving them significant control over compromised infrastructure.
  
• Security Settings Manipulation: The vulnerability allows malicious actors to alter critical security configurations, potentially disabling protective measures or creating backdoors.
  
• CWE-352 Classification: The vulnerability falls under Common Weakness Enumeration 352, indicating insufficient verification of data authenticity in web applications.
  
• Authentication Bypass Mechanism: CSRF vulnerabilities exploit the trust that web applications have in authenticated users, allowing unauthorized actions through malicious request submission.

What makes this vulnerability particularly dangerous is its potential for remote code execution (RCE), which would give attackers significant control over compromised systems.

In the context of PaperCut’s print management environment, successful exploitation could lead to complete system compromise and lateral movement within organizational networks.

The timing of CISA warning, issued on July 28, 2025, indicates that threat actors are actively exploiting this vulnerability in real-world attacks, making immediate action critical for affected organizations.

PaperCut RCE Vulnerability

While CISA has confirmed active exploitation of CVE-2023-2533, the agency has marked the ransomware campaign usage as “Unknown,” indicating uncertainty about whether this vulnerability has been incorporated into ransomware attack chains.

This designation suggests that while the vulnerability is being exploited, CISA has not yet confirmed its use specifically in ransomware operations.

The uncertainty around ransomware usage doesn’t diminish the threat level, as print management systems like PaperCut often serve as critical infrastructure components with extensive network access.

Successful exploitation could provide attackers with a foothold for broader network compromise, potentially leading to data theft, system disruption, or eventual ransomware deployment.

Organizations should treat this vulnerability with the same urgency typically reserved for ransomware-linked threats, given the potential for escalation and the confirmed active exploitation.

Mitigations

CISA has established an August 18, 2025 deadline for federal agencies to address this vulnerability, following the requirements outlined in Binding Operational Directive 22-01.

Private sector organizations are strongly encouraged to follow the same timeline to protect their networks.

The recommended actions include applying mitigations according to vendor instructions or following applicable BOD 22-01 guidance for cloud-based services.

Organizations unable to implement adequate mitigations should consider discontinuing use of affected PaperCut products until proper security measures can be deployed.

System administrators should immediately inventory their PaperCut deployments, apply available security updates, and implement additional network segmentation where possible.

The inclusion in CISA’s KEV catalog serves as a clear signal that this vulnerability poses an immediate and significant risk to organizational security, warranting the highest priority in vulnerability management programs.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.