CVE-2025-26507

CVE-2025-26507 is a high-severity vulnerability affecting certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers. It enables remote code execution (RCE) and elevation of privilege when the devices process a malicious PostScript print job. The issue stems from a buffer overflow (CWE-121) in the PostScript processing component, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical risk due to its network accessibility and lack of prerequisites.

Unauthenticated attackers on the network can exploit this vulnerability by sending a specially crafted PostScript print job to the targeted printer. Successful exploitation allows arbitrary code execution on the device with elevated privileges, potentially leading to full compromise of the printer's operating system. This grants attackers high-impact control over confidentiality, integrity, and availability, such as data exfiltration, lateral movement within the network, or using the printer as a pivot point.

HP's security bulletin (HPSBPI-04007) at https://support.hp.com/us-en/document/ish_11953771-11953793-16/hpsbpi04007 provides details on affected models, firmware versions, and recommended mitigations, including applying the latest firmware patches to address the vulnerability.