Security Vulnerability in HP Laser Printers Allows Code Injection

Numerous HP laser printers are currently facing significant security vulnerabilities, enabling potential attackers to inject and execute malicious code. HP has issued a firmware update to address these security flaws, and it is crucial for IT administrators to implement these updates promptly.

In an official security advisory, HP outlined the vulnerabilities, although they provided limited details. The company noted that certain models from the HP LaserJet Pro, LaserJet Enterprise, and HP LaserJet Managed series could be susceptible to code injection attacks via network access when processing PostScript print jobs.

The advisory identifies three specific vulnerabilities, with CVE-2025-26506 classified as critical, receiving a CVSS score of 9.2. Another vulnerability, CVE-2025-26508, is rated as high risk with a CVSS score of 8.3, while CVE-2025-26507 is considered a medium risk at 6.3.

The number of affected printer models is extensive, encompassing hundreds of devices across 120 different series. Due to the volume of models affected, a complete list is impractical here, but IT admins are advised to consult the security advisory for details on vulnerable devices present within their networks. It is essential to download and install the available firmware updates without delay.

Additionally, HP recently cautioned about critical security flaws in its universal printer drivers for PostScript and PCL6, which also require immediate attention from system administrators. Just prior to the weekend, Lexmark issued a similar warning regarding vulnerabilities found in both printer companion software and firmware. Lexmark's PostScript interpreter was also reported to have vulnerabilities, albeit classified as less severe compared to those affecting HP printers.