The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity vulnerability to its Known Exploitable Vulnerabilities Catalog, urging users to patch it before August 18, 2025. Tracked as CVE-2023-2533, the vulnerability in PaperCut NG/MF may allow an attacker to alter security settings or execute arbitrary code.
PaperCut NG and PaperCut MF are both print management software solutions. PaperCut NG is a core print management system. At the same time, PaperCut MF builds upon NG by adding features to manage and track copy, fax, and scan output, particularly on Multi-Function Devices (MFDs). Both versions offer web-based administration and user interfaces, allowing for easy management and reporting from any location.
Vulnerability Details
The Cross-Site Request Forgery (CSRF) vulnerability in PaperCut NG/MF allows an attacker to alter security settings or execute arbitrary code under specific conditions. The vulnerability can be exploited if the target is an admin with a current login session. An attacker must deceive an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.
Although the vulnerability is being exploited in the wild, no public proof-of-concept is available at the time of writing.
Qualys Threat Intelligence provided a Qualys Vulnerability Score (QVS) of 95 for the vulnerability. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.
Affected versions
The vulnerability affects PaperCut NG and MF versions from 21.2.0 to 22.0.12 (inclusive) on all OS platforms.
Mitigation
Users must upgrade to PaperCut NG/MF version 22.1.1 or later to patch the vulnerability.
For more information, please refer to the PaperCut Advisory.
Security hardening measures released by PaperCut
The vendor released configuration and new defaults, making it hard for attackers to initiate a chained attack using PaperCut NG/MF.
The updates include a new security.properties file to separate the configuration of some components from the web administration interface. These include:
- Print Scripting and Device Scripting settings, such as the ability to run executables and unsafe code from scripts.
- Explicit granting of permission to run external executables, such as those used with custom authentication providers and other plugins.
Qualys Detection
Qualys customers can scan their devices with QID 383707 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.papercut.com/kb/Main/SecurityBulletinJune2023