Security Intelligence
Loading table of contents...
Loading table of contents...
On July 28, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in PaperCut NG/MF to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed evidence of active exploitation in the wild.
PaperCut NG/MF is a widely used print management software deployed in 70,000 organizations, with 100 million users across the globe. It’s deployed in schools, businesses, and government offices to manage print jobs, enforce quotas, reduce waste, and improve document security.
The issue, tracked as CVE-2023-2533, is a cross-site request forgery (CSRF) vulnerability affecting PaperCut NG/MF versions 21.2.0 through 22.0.12. PaperCut addressed the issue in version 22.1.1, and CISA has mandated remediation by August 18, 2025, for U.S. federal agencies.
The flaw could allow threat actors to manipulate security settings or execute privileged actions by tricking an authenticated administrator into clicking a malicious link. It resides in the admin interface, which is often exposed internally, and can be leveraged for lateral movement or privilege escalation.
The software was previously targeted by ransomware groups including LockBit, Clop, and Bl00dy, as well as Iranian state-sponsored actors like MuddyWater and APT35. These groups have used earlier PaperCut vulnerabilities to gain initial access, exfiltrate data, and deploy ransomware payloads.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Analyst insight
To mitigate CVE-2023-2533, organizations should immediately upgrade PaperCut NG/MF to version 22.1.1 or later, which contains the security patch. Access to the admin interface should be restricted through network segmentation and IP-based controls to limit exposure.
Security teams should monitor unusual activities, such as unauthorized configuration changes or unusual print job behavior, which may indicate exploitation. Implementing strong session management and CSRF protections can further reduce the risk of compromise.
