CISA flags PaperCut RCE bug as exploited in attacks, patch now

CISA warns that threat actors are exploiting a high-severity vulnerability in PaperCut NG/MF print management software, which can allow them to gain remote code execution in cross-site request forgery (CSRF) attacks.

The software developer says that more than 100 million users use its products across over 70,000 organizations worldwide.

The security flaw (tracked as CVE-2023-2533 and patched in June 2023) can allow an attacker to alter security settings or execute arbitrary code if the target is an admin with a current login session, and successful exploitation typically requires tricking an admin into clicking a maliciously crafted link.

CISA has yet to share details regarding these ongoing attacks, but it has added the vulnerability to its Known Exploited Vulnerabilities Catalog, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to patch their systems by August 18, as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.

While BOD 22-01 targets U.S. federal agencies, the cybersecurity agency encourages all organizations, including those in the private sector, to prioritize patching this actively exploited security bug as soon as possible.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA cautioned on Monday.

Non-profit security organization Shadowserver currently tracks over 1,100 PaperCut MF and NG servers that are exposed online, although not all are vulnerable to CVE-2023-2533 attacks.

​PaperCut flaws exploited by ransomware gangs

Although CISA has no evidence that CVE-2023-2533 is being targeted in ransomware attacks, PaperCut servers have been previously breached by ransomware gangs in 2023 by exploiting a critical, unauthenticated remote code execution (RCE) vulnerability (CVE–2023–27350) and a high-severity information disclosure flaw (CVE–2023–27351).

In April 2023, Microsoft linked the attacks targeting PaperCut servers to the LockBit and Clop ransomware gangs, who used their access to compromised systems to steal corporate data.

Almost two weeks later, Microsoft also revealed that Iranian state-backed hacking groups (tracked as Muddywater and APT35) also joined the attacks.

As the company explained at the time, the threat actors exploited the ‘Print Archiving’ feature, which is designed to save all documents sent through PaperCut printing servers.

CISA added CVE-2023–27350 to its catalog of actively exploited vulnerabilities on April 21, 2023, ordering U.S. federal agencies to secure their servers by May 12, 2023.

One month later, CISA and the FBI issued a joint advisory warning that the Bl00dy Ransomware gang had also begun exploiting the CVE-2023–27350 RCE vulnerability to gain initial access to the networks of educational organizations.