The US Cyber Safety and Infrastructure Security Agency (CISA) on Monday added a high-serene security vulnerability to affect the papercuting/MF print management software in its known exploited weaknesses (KEV) catalogs, which cites the evidence of active exploitation in the wild.
The vulnerability tracked as the CVE-2023-2533 (CVSS score: 8.4) is a cross-site request forgery (CSRF) bug which may result in remote code execution.
Sisa said in an alert, “Papercut NG/MF includes a cross-site request forgery (CSRF) vulnerability, which, under specific circumstances, can potentially enable an attacker to change security settings or execute arbitrary code.”
Papercut NG/MF is commonly used to manage print jobs and control network printers by schools, businesses and government offices. Because the administrator console usually runs on the internal web server, an exploited vulnerability here can allow the attackers to establish an easy foot in comprehensive systems.
In the scenario of a possible attack, a danger actor can take advantage of the blame for a current login session to target a administrator user, and can cheat them in clicking specially prepared links that leads to unauthorized changes.
Currently it is not known how vulnerability is being exploited in real -world attacks. But given that the deficiencies in software solutions have been misused by Iranian nation-state actors as well as e-crime groups such as BLID, CL 00P and lockbit ransomware for early access, it is necessary that the user apply the necessary updates, if not already.
At the time of writing, no public proof-off-concept is available, but the attackers can exploit the bug through a fishing email or a malicious site that triggers log-in admin in triggering the request. The mitigation requires more than patching – organizations should also review the session timeout, prohibit the administrator access to the known IP, and implement strong CSRF token verification.
For binding operational instructions (BOD) 22-01, the Federal Civil Executive Branch (FCEB) agencies need to update their examples in a patching version by 18 August 2025.
Admins should find out with miter at & CK techniques such as T1190 (exploitation of public-supporting application) and T1071 (application layer protocol). For a comprehensive context, tracking the incidence of papercuts in relation to ransomware entry points or initial access vectors can help shape long -term strict strategies.
