cbcvebase.
CVE-2023-2533
published 2023-06-20

CVE-2023-2533: A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker…

PriorityP184high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-08-18
Exploited in the wild
EPSS
29.46%
97.9th percentile
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.

Affected

7 ranges
VendorProductVersion rangeFixed in
papercutpapercut_mf< 20.1.820.1.8
papercutpapercut_mf>= 21.0.0 < 21.2.1221.2.12
papercutpapercut_mf>= 22.0.0 < 22.1.122.1.1
papercutpapercut_ng< 20.1.820.1.8
papercutpapercut_ng>= 21.0.0 < 21.2.1221.2.12
papercutpapercut_ng22.0.0 – 22.1.1
papercutpapercut_ng_mf>= 22.0.10 < 2.1.12.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/app?enablePrintScript=on&scriptBody=java.lang
path/app
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PaperCut MF/NG RCE vis Cross-Site Request Forgery (CVE-2023-2533)"; flow:established,to_server; http.uri; content:"/app|3f|"; startswith; content:"enablePrintScript|3d|on"; fast_pattern; content:"scriptBody|3d|"; content:"java|2e|lang"; distance:0; reference:url,fluidattacks.com/advisories/arcangel; reference:cve,2023-2533; classtype:web-application-attack; sid:2063868; rev:1; metadata:attack_target Server, created_at 2025_08_01, cve CVE_2023_2533, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_08_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect HTTP requests to the PaperCut /app endpoint where the URI contains 'enablePrintScript=on' and 'scriptBody=' followed by 'java.lang' — this pattern indicates CSRF-driven RCE exploitation of the Print Script feature.
  • Monitor for admin sessions receiving externally-crafted requests that modify security settings or enable scripting features, as exploitation requires an authenticated admin session.
  • Track internet-exposed PaperCut MF/NG servers; Shadowserver currently observes over 1,100 such servers exposed online, not all of which are patched against CVE-2023-2533.
  • ·Exploitation requires the victim to be an authenticated admin with an active session; enforcing short session timeouts and admin MFA reduces exploitability.
  • ·Vendor patch was released in June 2023; CISA KEV remediation deadline is 2025-08-18. Reference vendor advisory at https://www.papercut.com/kb/Main/SecurityBulletinJune2023 for patching guidance.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.4HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.