CVE-2023-2533

What is PaperCut NG/MF?

PaperCut NG (Next Generation) and MF (Multi-Function) are widely-deployed print management software platforms used by universities, enterprises, government agencies, and K-12 schools to control and audit printing, copying, and scanning. PaperCut manages user print quotas, tracks usage, and controls access to printers and MFPs. Because PaperCut servers are often exposed on internal networks with admin interfaces accessible to print administrators, vulnerabilities in PaperCut have been a recurring target — the platform was heavily exploited in 2023 via companion RCE vulnerabilities CVE-2023-27350 and CVE-2023-27351.

Overview

CVE-2023-2533 is a cross-site request forgery (CSRF) vulnerability in PaperCut NG/MF that, under specific conditions, could allow an attacker to alter security settings or execute arbitrary code by tricking an authenticated administrator into visiting a malicious page or clicking a crafted link. PaperCut disclosed it in June 2023. CISA added it to the KEV catalog over two years later in July 2025, reflecting confirmed active exploitation against unpatched deployments.

Affected Versions

Consult PaperCut's security bulletin for the specific version numbers patched.

Technical Details

Cross-site request forgery (CWE-352) exploits the fact that browsers automatically include session credentials (cookies) with any HTTP request to a site, regardless of which site initiated the request. If PaperCut's admin interface lacks proper CSRF protections (anti-CSRF tokens, SameSite cookie policies, or origin validation), an attacker can craft a malicious web page that, when loaded by an authenticated PaperCut administrator's browser, silently sends HTTP requests to the PaperCut admin interface performing actions on the attacker's behalf.

The CVSS vector (PR:H/UI:R/S:C) indicates the exploit requires a high-privilege user (administrator) to interact with a malicious resource, but the scope change (S:C) reflects that a successful attack affects systems beyond the vulnerable web application itself — security configuration changes can impact printing infrastructure, user data, and connected systems.

Under specific conditions noted in the PaperCut advisory, the CSRF could be used not just for configuration changes but potentially for code execution on the PaperCut server.

Discovery

Identified by security researchers and disclosed to PaperCut, who issued the June 2023 security bulletin. The long gap between disclosure (June 2023) and CISA KEV addition (July 2025) suggests exploitation was identified in targeted incident response investigations of PaperCut-related intrusions.

Exploitation Context

PaperCut servers were among the most heavily targeted enterprise software platforms in 2023, primarily via CVE-2023-27350 (CVSS 9.8, unauthenticated RCE) which allowed Cl0p, LockBit, and other ransomware groups to compromise universities and enterprises at scale. CVE-2023-2533's CSRF, while less severe than the unauthenticated RCE, represents residual risk in environments that patched the critical bugs but remain on older PaperCut versions without the June 2023 security bulletin applied.

Remediation

1. Apply the June 2023 PaperCut security bulletin update — consult papercut.com/kb/Main/SecurityBulletinJune2023 for the specific version applicable to your PaperCut installation.
2. Also apply the April 2023 critical patches (CVE-2023-27350, CVE-2023-27351) if not already done — these are higher severity and more commonly exploited.
3. Restrict admin interface access — PaperCut's admin console should only be accessible from trusted management networks, not from general user networks or the internet.
4. Enforce admin authentication requirements — ensure admin accounts use strong passwords and where possible, MFA.
5. Review PaperCut audit logs for unauthorized configuration changes, new admin accounts, or unusual script execution.