HP has identified a critical error, CVE-2023-1707, that affects around 50 models of HP Enterprise LaserJet and HP LaserJet Managed printers. The vulnerability has been rated 9.1 out of 10 on the CVSS scale, making it critical. Exploitation of the bug may lead to information disclosure, as an attacker could gain access to sensitive information transferred between vulnerable HP printers and other devices on the network. The list of vulnerable devices can be seen below.
HP Color LaserJet Enterprise M455, HP Color LaserJet Enterprise MFP M480, HP Color LaserJet Managed E45028, HP Color LaserJet Managed MFP E47528, HP Color LaserJet Managed MFP E785dn, E78523, E78528, HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, E78625/30/35, HP Color LaserJet Managed Flow MFP E78625/30/35, HP Color LaserJet Managed MFP E877, E87740/50/60/70, HP Color LaserJet Managed Flow E87740/50/60/70, HP LaserJet Enterprise M406, HP LaserJet Enterprise M407, HP LaserJet Enterprise MFP M430, HP LaserJet Enterprise MFP M431, HP LaserJet Managed E40040, HP LaserJet Managed MFP E42540, HP LaserJet Managed MFP E730, E73025, E73030, HP LaserJet Managed MFP E731, HP LaserJet Managed Flow MFP M731, E73130/35/40, HP LaserJet Managed Flow MFP E73130/35/40, HP LaserJet Managed MFP E826dn, HP LaserJet Managed Flow MFP E826z, E82650/60/70, HP LaserJet Managed Flow MFP E82650/60/70.
Exploitation of the vulnerability is possible only in a limited context, as vulnerable devices must have FutureSmart firmware version 5.6 installed and IPsec (Internet Protocol Security) enabled. HP representatives have stated that a firmware update that fixes the vulnerability will be ready within 90 days, and a patch is not available at this time. Customers running FutureSmart 5.6 are advised to downgrade to FutureSmart 5.5.0.3 for now.