PaperCut on Fire: Hackers Breach Thousands of Companies — Is Yours Next?
They leave no trace… until the moment you click an empty folder.
They leave no trace… until the moment you click an empty folder.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about the active exploitation of a critical vulnerability in the popular print management software PaperCut NG and MF. The flaw, tracked as CVE-2023-2533, allows attackers to execute arbitrary code on the server—if a system administrator opens a specially crafted link. The attack relies on an active admin session and the exploitation of a Cross-Site Request Forgery (CSRF) vulnerability.
PaperCut reports that its products are installed in over 70,000 organizations worldwide, including schools, corporations, and government agencies, with a user base exceeding 100 million. Although the vulnerability was patched back in June 2023, CISA notes that it is still being actively exploited and has mandated all U.S. federal civilian agencies to patch the issue by August 18, under Directive BOD 22-01, which requires urgent mitigation of known exploited vulnerabilities.
While specific abuse details remain undisclosed, the Shadowserver Foundation has identified over 1,100 publicly accessible PaperCut NG and MF servers online. Not all of them are vulnerable to CVE-2023-2533, but even a single exposed instance in critical infrastructure could lead to severe consequences.
A Pattern of Compromise
This is not PaperCut’s first brush with cyber threats.
Earlier in 2023, its servers were targeted by ransomware groups including LockBit and Clop, exploiting:
- CVE-2023-27350 – unauthenticated remote code execution.
- CVE-2023-27351 – an information disclosure flaw.
Microsoft confirmed the involvement of these groups and later attributed follow-up campaigns to Iran-linked APT actors, including MuddyWater and APT35. During attacks, adversaries gained access to the “Print Archiving” feature, which stores copies of all printed documents—potentially leading to theft of sensitive internal data.
On April 21, 2023, CISA added CVE-2023-27350 to its Known Exploited Vulnerabilities Catalog and gave federal agencies three weeks to apply patches. A joint alert with the FBI followed shortly thereafter, warning of Bl00dy Ransomware attacks, which had begun targeting educational institutions, where PaperCut usage is widespread.
The Takeaway
Given the history of mass compromises involving PaperCut, CISA strongly advises not just government agencies, but also private organizations, to immediately patch vulnerable systems. The agency emphasizes that such vulnerabilities are a permanent fixture in the attacker’s toolkit and pose a real and ongoing threat to digital infrastructure across industries.
