CVE-2023-2533
Published: 20 June 2023
Summary
CVE-2023-2533 is a high-severity CSRF (CWE-352) vulnerability in Papercut Papercut Mf. Its CVSS base score is 8.4 (High).
Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).
Deeper analysis
A Cross-Site Request Forgery vulnerability tracked as CVE-2023-2533 affects PaperCut NG/MF. The flaw resides in the application's handling of administrative requests and carries a CVSS 3.1 score of 8.4. Under specific conditions an attacker can leverage it to modify security settings or execute arbitrary code when the victim holds an active administrative session.
An attacker can exploit the issue by crafting a malicious link and tricking a logged-in administrator into clicking it. Successful exploitation grants the ability to alter security configurations or run arbitrary code on the PaperCut server with the privileges of the targeted administrator account.
PaperCut's June 2023 security bulletin and the associated Fluid Attacks advisory describe the affected versions and direct customers to apply the vendor-supplied patches. The vulnerability is also catalogued in CISA's Known Exploited Vulnerabilities list, confirming observed in-the-wild exploitation. The EPSS score reached a peak of 0.4216 and currently stands at 0.3632.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34012
Vulnerability details
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with…
more
a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.
- CWE(s)
- KEV Date Added
- 28 July 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces that administrative configuration changes and code-execution actions are performed only on valid, non-forged requests rather than any request carrying a valid session cookie.
Requires re-authentication before privileged security-setting or code-execution operations, defeating CSRF that relies solely on an existing admin session.
Protects session authenticity so that a browser cannot be tricked into sending an attacker-supplied request that the application treats as originating from the legitimate administrator.