HP introduced in a safety bulletin this week that it will take as much as 90 days to patch a critical-severity vulnerability that affects the firmware of positive business-grade printers.
The safety factor is tracked as CVE-2023-1707 and it impacts about 50Â HP Endeavor LaserJet and HP LaserJet Controlled Printers fashions.
The corporate calculated a severity ranking of 9.1 out of 10 the usage of theÂ CVSS v3.1 same old and notes that exploiting it might doubtlessly result in data disclosure.
In spite of the top ranking, there’s a restrictive exploitation context as susceptible gadgets wish to run FutureSmart firmware model 5.6 and featureÂ IPsec enabled.
IPsec (Web Protocol Safety) is an IP community safety protocol suite utilized in company networks to safe faraway or inside communications and save you unauthorized get entry to to belongings, together with printers.
FutureSmart lets in customers to paintings and configure printers both from a keep an eye on panel to be had on the printer or from a internet browser for faraway get entry to.
On this case, the guidelines disclosure flaw may just permit an attacker to get entry to delicate data transmitted between the susceptible HP printers and different gadgets at the community.
BleepingComputer has contacted HP to be told extra concerning the precise affect of the flaw and if the seller has noticed indicators of energetic exploitation however we won no commentary at publishing time.
The next printer type are suffering fromÂ CVE-2023-1707:
- HP Colour LaserJet Endeavor M455
- HP Colour LaserJet Endeavor MFP M480
- HP Colour LaserJet Controlled E45028
- HP Colour LaserJet Controlled MFP E47528
- HP Colour LaserJet Controlled MFP E785dn, HP Colour LaserJet Controlled MFP E78523, E78528
- HP Colour LaserJet Controlled MFP E786, HP Colour LaserJet Controlled Go with the flow MFP E786, HP Colour LaserJet Controlled MFP E78625/30/35, HP Colour LaserJet Controlled Go with the flow MFP E78625/30/35
- HP Colour LaserJet Controlled MFP E877, E87740/50/60/70, HP Colour LaserJet Controlled Go with the flow E87740/50/60/70
- HP LaserJet Endeavor M406
- HP LaserJet Endeavor M407
- HP LaserJet Endeavor MFP M430
- HP LaserJet Endeavor MFP M431
- HP LaserJet Controlled E40040
- HP LaserJet Controlled MFP E42540
- HP LaserJet Controlled MFP E730, HP LaserJet Controlled MFP E73025, E73030
- HP LaserJet Controlled MFP E731, HP LaserJet Controlled Go with the flow MFP M731, HP LaserJet Controlled MFP E73130/35/40, HP LaserJet Controlled Go with the flow MFP E73130/35/40
- HP LaserJet Controlled MFP E826dn, HP LaserJet Controlled Go with the flow MFP E826z, HP LaserJet Controlled E82650/60/70, HP LaserJet Controlled E82650/60/70
HP says a firmware replace that addresses the vulnerability shall be launched inside of 90 days, so thereâs lately no repair to be had.
The advisable mitigation for purchasers working FutureSmart 5.6 is to downgrade their firmware model to FS 22.214.171.124.
Customers are advisable to supply the firmware bundle from HPâs professional obtain portal, the place they may be able to choose their printer type and get the related instrument.