HP laser printers enable code smuggling through Postscript security leak

Numerous HP laser printers are affected by vulnerabilities that allow attackers to infiltrate and execute malicious code. The manufacturer is providing updated firmware to close the security gaps. IT managers should install them quickly.

HP warns of the vulnerabilities in a security notice. HP is tight-lipped about the details: "Certain HP Laserjet Pro, Laserjet Enterprise and HP Laserjet Managed printers may be vulnerable to code smuggling from the network and privilege escalation when processing a postscript print job," reads the reassuring summary. However, no further details are provided.

HP: Three security vulnerabilities, one critical

In total, it is a bundle of three vulnerabilities that share the description. CVE-2025-26506 has a CVSS rating of 9.2 and is therefore a critical risk, while CVE-2025-26508 has a CVSS rating of 8.3 and is considered a high threat level. The third vulnerability CVE-2025-26507 is rated by the developers as a medium risk with CVSS 6.3.

The number of affected printer models is in the hundreds, with the list of partially combined series alone adding up to 120 device series. To list them all would go beyond the scope of this report, so please refer to the list in the security notice. Admins should check whether vulnerable models are working in their networks and download and install the available firmware updates promptly.

Last week, HP also warned of critical security vulnerabilities in the universal printer drivers for Postscript and PCL6. Admins should also bring these up to date. Shortly before the weekend, Lexmark also warned of vulnerabilities in printer companion software and printer firmwares. Lexmark's Postscript interpreter also has vulnerabilities, but all of them were classified as "only" high risk.

(dmk)