274/68 Wednesday, July 30, 2025
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an official advisory regarding a critical vulnerability-CVE-2023-2533-in PaperCut NG/MF software, which is actively being exploited in cyberattacks. This vulnerability enables remote code execution through Cross-Site Request Forgery (CSRF), allowing an attacker to gain control of a system if an administrator-while still logged in-is tricked into clicking a specially crafted link. Although a patch for this issue was released back in June 2023, continued evidence of exploitation has led CISA to add it to its Known Exploited Vulnerabilities (KEV) Catalog, requiring all U.S. Federal Civilian Executive Branch (FCEB) agencies to apply the patch by August 18, 2025.
According to analysis from Shadowserver, over 1,100 PaperCut NG/MF servers are currently exposed to the internet. While not all are directly vulnerable to CVE-2023-2533, unpatched systems remain at high risk. In 2023, PaperCut servers were previously used as entry points in ransomware campaigns by LockBit and Clop groups, leveraging CVE-2023-27350 (unauthenticated RCE) and CVE-2023-27351 (information disclosure) to steal data, especially via the platform’s Print Archiving feature.
Additionally, Microsoft reported that Iran-linked threat actors such as MuddyWater and APT35 also participated in these attack campaigns, further emphasizing the urgency of patching affected systems.
