Although CISA has no evidence that CVE-2023-2533 is being targeted in ransomware attacks, PaperCut servers have been previously breached by ransomware gangs in 2023 by exploiting a critical, unauthenticated remote code execution (RCE) vulnerability (CVE–2023–27350) and a high-severity information disclosure flaw (CVE–2023–27351). CISA has yet to share details regarding these ongoing attacks, but it has added the vulnerability to its Known Exploited Vulnerabilities Catalog, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to patch their systems by August 18, as mandated by the November 2021 Binding Operational Directive (BOD) 22-01. CISA warns that threat actors are exploiting a high-severity vulnerability in PaperCut NG/MF print management software, which can allow them to gain remote code execution in cross-site request forgery (CSRF) attacks. In April 2023, Microsoft linked the attacks targeting PaperCut servers to the LockBit and Clop ransomware gangs, who used their access to compromised systems to steal corporate data. CISA added CVE-2023–27350 to its catalog of actively exploited vulnerabilities on April 21, 2023, ordering U.S. federal agencies to secure their servers by May 12, 2023. The security flaw (tracked as CVE-2023-2533 and patched in June 2023) can allow an attacker to alter security settings or execute arbitrary code if the target is an admin with a current login session, and successful exploitation typically requires tricking an admin into clicking a maliciously crafted link. One month later, CISA and the FBI issued a joint advisory warning that the Bl00dy Ransomware gang had also begun exploiting the CVE-2023–27350 RCE vulnerability to gain initial access to the networks of educational organizations.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 28 Jul 2025 17:00:27 +0000