Cyber Resilience

CVE-2023-2533

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 20 June 2023

Published
20 June 2023
Modified
26 February 2026
KEV Added
28 July 2025
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.3632 97.2th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2533 is a high-severity CSRF (CWE-352) vulnerability in Papercut Papercut Mf. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).

Deeper analysis

A Cross-Site Request Forgery vulnerability tracked as CVE-2023-2533 affects PaperCut NG/MF. The flaw resides in the application's handling of administrative requests and carries a CVSS 3.1 score of 8.4. Under specific conditions an attacker can leverage it to modify security settings or execute arbitrary code when the victim holds an active administrative session.

An attacker can exploit the issue by crafting a malicious link and tricking a logged-in administrator into clicking it. Successful exploitation grants the ability to alter security configurations or run arbitrary code on the PaperCut server with the privileges of the targeted administrator account.

PaperCut's June 2023 security bulletin and the associated Fluid Attacks advisory describe the affected versions and direct customers to apply the vendor-supplied patches. The vulnerability is also catalogued in CISA's Known Exploited Vulnerabilities list, confirming observed in-the-wild exploitation. The EPSS score reached a peak of 0.4216 and currently stands at 0.3632.

EU & UK References

Vulnerability details

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with…

more

a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.

CWE(s)
KEV Date Added
28 July 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

papercut
papercut mf
≤ 20.1.8 · 21.0.0 — 21.2.12 · 22.0.0 — 22.1.1
papercut
papercut ng
≤ 20.1.8 · 21.0.0 — 21.2.12 · 22.0.0 — 22.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces that administrative configuration changes and code-execution actions are performed only on valid, non-forged requests rather than any request carrying a valid session cookie.

prevent

Requires re-authentication before privileged security-setting or code-execution operations, defeating CSRF that relies solely on an existing admin session.

prevent

Protects session authenticity so that a browser cannot be tricked into sending an attacker-supplied request that the application treats as originating from the legitimate administrator.

References