Hewlett Packard has disclosed two potentially dangerous vulnerabilities in the firmware of various enterprise printer models that could be abused by attackers to run arbitrary code on affected printer models remotely.
The vulnerability (CVE-2022-28721), rated as critical in severity with a 9.8 CVSS scale is a buffer overflow, caused by improper bounds checking that allows for the potential execution of arbitrary code remotely on affected over 60 printer models.
The security flaw affects more than 60 printer models ranging from HP inkjet printers, HP LaserJet Pro printers, and HP PageWide Pro printers. To exploit the CVE-2022-28721 flaw, a remote attacker could send a specially-crafted request to overflow a buffer and execute arbitrary code on the system.
The second flaw (CVE-2022-28722) rated as high in severity with a 7.1 CVSS scale is also a buffer overflow that allows a local attacker could overflow a buffer and execute arbitrary code on the system.
These vulnerabilities in more than 60 printers from HP demonstrate that any type of device that connects to a network can expand the perceived threat surface.
To download the new firmware update, visit the HP website in your web browser, select Support from the top of the page, and select Software & drivers. Now, select the printer, enter the product name or model number in the search box, then scroll down in the search results to firmware and download the necessary files.