CISA Issues Alert on PaperCut RCE Vulnerability Under Active Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical PaperCut vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning organizations of active exploitation attempts targeting the widely-used print management software.

The vulnerability, tracked as CVE-2023-2533, represents a significant security risk that could allow attackers to execute arbitrary code on affected systems.

Critical Vulnerability Details

CVE-2023-2533 affects PaperCut NG and MF print management solutions, stemming from a cross-site request forgery (CSRF) vulnerability. 

This security flaw, classified under Common Weakness Enumeration CWE-352, creates a dangerous pathway for cybercriminals to manipulate system configurations and potentially gain unauthorized access to organizational networks.

The vulnerability’s severity lies in its potential to enable attackers to alter critical security settings or execute arbitrary code under specific conditions. 

This capability transforms what might initially appear as a simple CSRF issue into a remote code execution (RCE) threat, significantly amplifying the potential impact on affected organizations.

PaperCut’s print management solutions are extensively deployed across various sectors, including educational institutions, healthcare facilities, and corporate environments.

The widespread adoption of these systems makes this vulnerability particularly concerning for cybersecurity professionals monitoring enterprise security landscapes.

CISA’s decision to include CVE-2023-2533 in the KEV catalog, announced on July 28, 2025, indicates that threat actors are already leveraging this vulnerability in real-world attacks. 

While the agency has not definitively linked the vulnerability to ransomware campaigns, the “Unknown” status suggests ongoing investigation into potential connections with organized cybercriminal groups.

The active exploitation designation carries serious implications for organizations running vulnerable PaperCut installations.

Cybersecurity experts emphasize that KEV catalog inclusion typically reflects confirmed evidence of attacks in the wild, making immediate remediation efforts critical for maintaining organizational security posture.

Organizations have until August 18, 2025, to address this vulnerability according to CISA’s directive. 

The agency recommends applying mitigations according to vendor instructions as the primary remediation approach. 

For organizations utilizing cloud-based PaperCut services, CISA advises following applicable Binding Operational Directive (BOD) 22-01 guidance.

In cases where effective mitigations remain unavailable, CISA recommends discontinuing use of the affected product until adequate security measures can be implemented. 

This guidance underscores the severity of the threat and the urgency with which organizations must respond.

Federal agencies face mandatory compliance with CISA’s directive, while private sector organizations are strongly encouraged to prioritize addressing this vulnerability.

The three-week remediation window provides sufficient time for proper testing and implementation of security updates while maintaining operational continuity.

Security teams should immediately inventory PaperCut installations, assess exposure levels, and coordinate with vendors to implement appropriate protective measures before the August deadline.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now