CISA Flags PaperCut RCE Bug as Exploited in Attacks, Patch Now
Summary:
A high-severity vulnerability in PaperCut NG/MF print management software has been added to CISA’s known Exploited Vulnerabilities Catalog. Tracked as CVE-2023-2533, the flaw pertains to a case of cross-site request forgery and can allow actors to alter security settings or execute arbitrary code upon exploitation. Note*: successful exploitation requires the target to be an admin with a current login session. As such, the actor would need to deceive an admin into clicking on a specially crafted malicious link.*
Security Officer Comments:
CISA has not disclosed details of the active exploitation attempts. However, vulnerabilities in PaperCut, such as CVE–2023–27350 (RCE) and CVE–2023–27351 (information disclosure), have been exploited in the past by LockBit and Cl0p ransomware gangs to compromise vulnerable PaperCut servers and steal valuable data, which can be further used to extort victims. According to the Shadowserver Foundation, there are currently 1,100 PaperCut MF and NG servers exposed online. While not all are vulnerable to CVE-2023-2533, this opens the door for similar exploitation opportunities.
Suggested Corrections:
In light of the active exploitation attempts in the wild, CISA is giving federal agencies three weeks to patch their systems, no later than August 18, 2025. While CISA’s directive is for federal agencies, its important that all organizations, including those in the private sector, ensure they are running the latest version of PaperCut NG/MF print management software. Implementing network segmentation, having backups of sensitive or valuable data, and enforcing data loss prevention solutions can also be effective at minimizing the impact of potential exploitation attempts.
Link(s):
https://www.bleepingcomputer.com/news/security/cisa-flags-papercut-rce-bug-as-exploited-in-attacks-patch-now/
A high-severity vulnerability in PaperCut NG/MF print management software has been added to CISA’s known Exploited Vulnerabilities Catalog. Tracked as CVE-2023-2533, the flaw pertains to a case of cross-site request forgery and can allow actors to alter security settings or execute arbitrary code upon exploitation. Note*: successful exploitation requires the target to be an admin with a current login session. As such, the actor would need to deceive an admin into clicking on a specially crafted malicious link.*
Security Officer Comments:
CISA has not disclosed details of the active exploitation attempts. However, vulnerabilities in PaperCut, such as CVE–2023–27350 (RCE) and CVE–2023–27351 (information disclosure), have been exploited in the past by LockBit and Cl0p ransomware gangs to compromise vulnerable PaperCut servers and steal valuable data, which can be further used to extort victims. According to the Shadowserver Foundation, there are currently 1,100 PaperCut MF and NG servers exposed online. While not all are vulnerable to CVE-2023-2533, this opens the door for similar exploitation opportunities.
Suggested Corrections:
In light of the active exploitation attempts in the wild, CISA is giving federal agencies three weeks to patch their systems, no later than August 18, 2025. While CISA’s directive is for federal agencies, its important that all organizations, including those in the private sector, ensure they are running the latest version of PaperCut NG/MF print management software. Implementing network segmentation, having backups of sensitive or valuable data, and enforcing data loss prevention solutions can also be effective at minimizing the impact of potential exploitation attempts.
Link(s):
https://www.bleepingcomputer.com/news/security/cisa-flags-papercut-rce-bug-as-exploited-in-attacks-patch-now/