CVE-2025-26508
Published: 14 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26508 is a vulnerability in certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers that enables remote code execution and elevation of privilege when processing a PostScript print job. Published on 2025-02-14, it stems from CWE-787 (Out-of-bounds Write) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no authentication privileges or user interaction. Unauthenticated remote actors can send a specially crafted PostScript print job to a vulnerable printer, leading to arbitrary code execution and privilege escalation on the device.
HP security bulletin HPSBPI-04007, detailed at https://support.hp.com/us-en/document/ish_11953771-11953793-16/hpsbpi04007, addresses this issue with recommended mitigations and patches for affected printers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes unauthenticated remote code execution via a crafted PostScript print job sent to a network-exposed printer service, directly enabling exploitation of a public-facing application for initial access and arbitrary code execution on the device.