Certificateless cryptosystem can overcome the costly certificate management in the traditional public key cryptosystem, and meanwhile it does not have the private key escrow problem in the identity-based cryptosystem. Proxy signature can allow a proxy signer authorized by an original signer to sign messages on behalf of the latter. In this paper, we show that a recently proposed certificateless proxy signature scheme in the standard model is vulnerable to the public key replacement attack. Through this kind of attack, a malicious original signer or proxy signer can forge a valid proxy signature. We analyse the reasons for the success of the attack and point out the flaw in the proof of the original scheme.