CVE-2023-2533: 2-Year-Old PaperCut Vulnerability Added to CISA’s KEV

On July 28, 2025, CISA added CVE‑2023‑2533, an 8.4 (High) severity Cross‑Site Request Forgery (CSRF) vulnerability in PaperCut NG/MF, to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild. 

This inclusion triggers a mandatory remediation deadline of August 18, 2025 for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive 22‑01, and serves as a critical warning to all organizations to prioritize patching.

Key Details

• Vulnerability Type: CWE‑352 Cross‑Site Request Forgery
• Attack Vector: Network (web interface)
• Attack Complexity: Low (no special conditions beyond a logged‑in admin)
• CVSS v3.1 Base Score: 8.4 (High)
• Affected Versions: PaperCut NG/MF 21.2.0 through 22.0.12 (inclusive) on Windows, Linux, and macOS
• Patched: Upgrade to PaperCut NG/MF version 22.1.1 or later 

How the Attack Unfolds

Attackers first identify that PaperCut NG/MF 22.0.10’s web administration console fails to enforce anti‑CSRF tokens on critical configuration endpoints. By experimenting with both POST and GET requests, researchers discovered they could bypass origin checks and silently issue configuration changes via hidden iframes or auto‑submitting forms. These requests target URLs responsible for enabling print scripting, disabling sandbox protections, and uploading arbitrary scripts, all without triggering any CSRF defense mechanisms in the backend .

Once the exploit page is crafted, the adversary employs phishing or similar social‑engineering techniques to entice an authenticated administrator to merely load the malicious link. As soon as the admin’s browser visits the page, the chained requests execute with the admin’s privileges, reconfiguring the server to accept attacker‑supplied print scripts. 

The attacker then stages a payload across one or more printer IDs so that any subsequent user‑initiated print job invokes the injected code, granting persistent remote code execution on the PaperCut service. Real‑world attacks leveraging this CSRF‑to‑RCE chain have been observed in active campaigns

Impact & Exploitation

Successful exploitation allows an attacker to:

1. Alter critical security settings remotely (e.g., disable sandboxing, enable print scripting).
2. Inject arbitrary code that executes when any user on the network submits a print job to a compromised printer.
3. Establish persistent footholds across an enterprise network via print‑job workflows.

Proof‑of‑concept exploits, such as chaining hidden iframes to manipulate the admin console and mass‑inject malicious scripts across printer IDs, have been publicly demonstrated.

Anecdotal reports indicate this bug is being incorporated into ransomware and automated attack toolkits as an initial access vector.

Mitigation & Recommendations

1. Immediate Patch: Apply vendor‐supplied updates to reach version 22.1.1 or newer.
2. Network Segmentation: Restrict access to the PaperCut admin interface via IP whitelisting and network zones.
3. Harden Configurations:
   • Enforce anti‑CSRF tokens on all admin endpoints.
   • Disable unused scripting and external executable permissions in security.properties.
4. Incident Response: In case of suspected compromise, isolate affected hosts, perform full endpoint scans, and audit PaperCut configuration changes 

If you need assistance in recongifuring your PaperCut deployment, or responding to an active incident, OP Innovate is ready to assist at any time. Contact us now for immediate support.

Stay Safe. Stay Secure

OP Innovate Research Team