The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding active exploitation of a high-severity vulnerability, CVE-2023-2533, within PaperCut NG/MF print management software, urging immediate patching for over 100 million users across 70,000 organizations.
CVE-2023-2533, a cross-site request forgery (CSRF) vulnerability patched in June 2023, enables remote code execution. Exploitation requires an attacker to trick an administrator, possessing a current login session, into clicking a maliciously crafted link, which can lead to altered security settings or arbitrary code execution. CISA has not released specific details concerning current attacks but has incorporated CVE-2023-2533 into its Known Exploited Vulnerabilities Catalog.
Federal Civilian Executive Branch (FCEB) agencies are mandated by the November 2021 Binding Operational Directive (BOD) 22-01 to patch this vulnerability by August 18. CISA advises all organizations, including those in the private sector, to prioritize patching, stating that such vulnerabilities are frequent attack vectors for malicious cyber actors and present significant risks to the federal enterprise.
Microsoft finds a major privacy flaw in Apple’s Spotlight search
Shadowserver, a non-profit security organization, currently identifies over 1,100 PaperCut MF and NG servers exposed online. Not all these servers are susceptible to CVE-2023-2533 attacks. While CISA has no evidence directly linking CVE-2023-2533 to ransomware attacks, PaperCut servers have been compromised by ransomware groups earlier in 2023. These prior breaches leveraged CVE-2023-27350, a critical unauthenticated remote code execution vulnerability, and CVE-2023-27351, a high-severity information disclosure flaw.
In April 2023, Microsoft associated attacks on PaperCut servers with the LockBit and Clop ransomware gangs, who utilized their access to steal corporate data. Approximately two weeks thereafter, Microsoft reported that Iranian state-backed hacking groups, identified as Muddywater and APT35, had also engaged in these attacks. These threat actors exploited the ‘Print Archiving‘ feature, which is designed to save documents routed through PaperCut printing servers.
CISA included CVE-2023-27350 in its catalog of actively exploited vulnerabilities on April 21, 2023, requiring U.S. federal agencies to secure their servers by May 12, 2023. One month later, CISA and the FBI jointly issued an advisory, indicating that the Bl00dy Ransomware gang had also commenced exploiting the CVE-2023-27350 RCE vulnerability to gain initial access to educational organizations’ networks.
