CVE-2023-2533
published 2023-06-20CVE-2023-2533: A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker…
PriorityP184high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-08-18
Exploited in the wild
EPSS
29.46%
97.9th percentile
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in
PaperCut NG/MF, which, under specific conditions, could potentially enable
an attacker to alter security settings or execute arbitrary code. This could
be exploited if the target is an admin with a current login session. Exploiting
this would typically involve the possibility of deceiving an admin into clicking
a specially crafted malicious link, potentially leading to unauthorized changes.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| papercut | papercut_mf | < 20.1.8 | 20.1.8 |
| papercut | papercut_mf | >= 21.0.0 < 21.2.12 | 21.2.12 |
| papercut | papercut_mf | >= 22.0.0 < 22.1.1 | 22.1.1 |
| papercut | papercut_ng | < 20.1.8 | 20.1.8 |
| papercut | papercut_ng | >= 21.0.0 < 21.2.12 | 21.2.12 |
| papercut | papercut_ng | 22.0.0 – 22.1.1 | — |
| papercut | papercut_ng_mf | >= 22.0.10 < 2.1.1 | 2.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/app?enablePrintScript=on&scriptBody=java.lang
path/app
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PaperCut MF/NG RCE vis Cross-Site Request Forgery (CVE-2023-2533)"; flow:established,to_server; http.uri; content:"/app|3f|"; startswith; content:"enablePrintScript|3d|on"; fast_pattern; content:"scriptBody|3d|"; content:"java|2e|lang"; distance:0; reference:url,fluidattacks.com/advisories/arcangel; reference:cve,2023-2533; classtype:web-application-attack; sid:2063868; rev:1; metadata:attack_target Server, created_at 2025_08_01, cve CVE_2023_2533, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_08_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect HTTP requests to the PaperCut /app endpoint where the URI contains 'enablePrintScript=on' and 'scriptBody=' followed by 'java.lang' — this pattern indicates CSRF-driven RCE exploitation of the Print Script feature.
- →Monitor for admin sessions receiving externally-crafted requests that modify security settings or enable scripting features, as exploitation requires an authenticated admin session.
- →Track internet-exposed PaperCut MF/NG servers; Shadowserver currently observes over 1,100 such servers exposed online, not all of which are patched against CVE-2023-2533.
- ·Exploitation requires the victim to be an authenticated admin with an active session; enforcing short session timeouts and admin MFA reduces exploitability. ↗
- ·Vendor patch was released in June 2023; CISA KEV remediation deadline is 2025-08-18. Reference vendor advisory at https://www.papercut.com/kb/Main/SecurityBulletinJune2023 for patching guidance. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.4HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fhf9-47gc-m9wc: A Cross-Site Request Forgery (CSRF) vulnerability has been identified in
PaperCut NG/MF, which, under specific conditions, could potentially enable
an
ghsa_unreviewed·2023-06-20
CVE-2023-2533 [HIGH] CWE-352 GHSA-fhf9-47gc-m9wc: A Cross-Site Request Forgery (CSRF) vulnerability has been identified in
PaperCut NG/MF, which, under specific conditions, could potentially enable
an
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in
PaperCut NG/MF, which, under specific conditions, could potentially enable
an attacker to alter security settings or execute arbitrary code. This could
be exploited if the target is an admin with a current login session. Exploiting
this would typically involve the possibility of deceiving an admin into clicking
a specially crafted malicious link, potentially leading to unauthorized changes.
VulnCheck
PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability
vulncheck·2023·CVSS 8.4
CVE-2023-2533 [HIGH] CWE-352 PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability
PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability
PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code.
Affected: PaperCut NG/MF
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.hkcert.org/security-bulletin/papercut-multiple-vulnerabilities_20250729; https://8813571.fs1.hubspotusercontent-na1.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250812.pdf; https://www.rapid7.com/cdn/assets/b
CISA
PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability
cisa·2025-07-28·CVSS 8.8
CVE-2023-2533 [HIGH] CWE-352 PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability
Vulnerability: PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability
Affected: PaperCut NG/MF
PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.papercut.com/kb/Main/SecurityBulletinJune2023 ; https://nvd.nist.gov/vuln/detail/CVE-2023-2533
Remediation Due Date: 2025-08-18
Suricata
ET WEB_SPECIFIC_APPS PaperCut MF/NG RCE vis Cross-Site Request Forgery (CVE-2023-2533)
suricata·2025-08-01·CVSS 8.4
CVE-2023-2533 [HIGH] ET WEB_SPECIFIC_APPS PaperCut MF/NG RCE vis Cross-Site Request Forgery (CVE-2023-2533)
ET WEB_SPECIFIC_APPS PaperCut MF/NG RCE vis Cross-Site Request Forgery (CVE-2023-2533)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PaperCut MF/NG RCE vis Cross-Site Request Forgery (CVE-2023-2533)"; flow:established,to_server; http.uri; content:"/app|3f|"; startswith; content:"enablePrintScript|3d|on"; fast_pattern; content:"scriptBody|3d|"; content:"java|2e|lang"; distance:0; reference:url,fluidattacks.com/advisories/arcangel; reference:cve,2023-2533; classtype:web-application-attack; sid:2063868; rev:1; metadata:attack_target Server, created_at 2025_08_01, cve CVE_2023_2533, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_08_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acce
No public exploits indexed.
Bleepingcomputer
CISA flags PaperCut RCE bug as exploited in attacks, patch now
blogs_bleepingcomputer·2025-07-28·CVSS 8.4
CVE-2023-2533 [HIGH] CISA flags PaperCut RCE bug as exploited in attacks, patch now
## CISA flags PaperCut RCE bug as exploited in attacks, patch now
## Sergiu Gatlan
CISA warns that threat actors are exploiting a high-severity vulnerability in PaperCut NG/MF print management software, which can allow them to gain remote code execution in cross-site request forgery (CSRF) attacks.
The software developer says that more than 100 million users use its products across over 70,000 organizations worldwide.
The security flaw (tracked as CVE-2023-2533 and patched in June 2023) can allow an attacker to alter security settings or execute arbitrary code if the target is an admin with a current login session, and successful exploitation typically requires tricking an admin into clicking a maliciously crafted link.
CISA has yet to share details regarding these ongoing attacks, bu
Bugzilla
CVE-2023-53488 kernel: IB/hfi1: Fix possible panic during hotplug remove
bugzilla·2025-10-01·CVSS 5.5
CVE-2023-53488 [MEDIUM] CVE-2023-53488 kernel: IB/hfi1: Fix possible panic during hotplug remove
CVE-2023-53488 kernel: IB/hfi1: Fix possible panic during hotplug remove
In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix possible panic during hotplug remove
During hotplug remove it is possible that the update counters work
might be pending, and may run after memory has been freed.
Cancel the update counters work before freeing memory.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100123-CVE-2023-53488-2533@gregkh/T
2023-06-20
Published
2025-07-28
Added to CISA KEV
Exploited in the wild