CVE-2025-26506
Published: 14 February 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-26506 is a critical vulnerability enabling remote code execution (RCE) and elevation of privilege in certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers. It occurs when processing a PostScript print job and stems from CWE-121 (stack-based buffer overflow). Published on 2025-02-14, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility and lack of prerequisites.
An unauthenticated attacker with network access to the printer can exploit the vulnerability by sending a malicious PostScript print job. No user interaction or privileges are required, allowing low-complexity exploitation that achieves RCE and privilege escalation, compromising confidentiality, integrity, and availability of the device.
The HP security bulletin at https://support.hp.com/us-en/document/ish_11953771-11953793-16/hpsbpi04007 provides details on mitigation, including affected models and recommended patches or workarounds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated network-accessible stack-based buffer overflow in PostScript processing directly enables remote exploitation of a public-facing printer service (T1190) and achieves RCE with privilege escalation (T1068).