Critical Wormable Security Flaw Found in Several HP Printer Models

Cybersecurity researchers on Tuesday disclosed multiple security flaws affecting 150 different multifunction printers from HP Inc that could be potentially abused by an adversary to take control of vulnerable devices, pilfer sensitive information, and infiltrate enterprise networks to mount other attacks.

“An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization.”

A hypothetical attack scenario could involve embedding an exploit for the font-parsing flaws in a malicious PDF document and then social engineering the target into printing the file.

An employee from the victim organization could be lured into visiting a rogue website, in the process sending the exploit to the vulnerable MFP directly from the web browser in what’s known as a cross-site printing attack.

“The website would, automatically, remotely print a document containing a maliciously-crafted font on the vulnerable MFP, giving the attacker code execution rights on the device,” the researchers said.

“While exploiting these issues is somewhat difficult, the public disclosure of these vulnerabilities will help threat actors know what to look for to attack vulnerable organizations,” Hirvonen and Bolshev said.

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:
GET STARTED TODAY

Tell us About your Needs
Get an Answer the Same Business Day

Got an urgent request? Call us at 1-877-805-7475 or Book a meeting.

What happens next:

  • We reach out to learn about your objectives
  • We work together to define your project’s scope
  • You get an all-inclusive, no engagement proposal
PCI-DSS
This field is for validation purposes and should be left unchanged.

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

2024 EDITION

PENETRATION TESTING Buyer's Guide

Everything You Need to Know

Gain confidence in your future cybersecurity assessments by learning to effectively plan, scope and execute projects.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.