This week, HP stated in a security alert that a major vulnerability affecting the firmware of a few business-grade printers would take up to 90 days to fix.
Over 50 HP Enterprise LaserJet and HP LaserJet Managed, Printers models are affected by the security flaw, which has the tracking number CVE-2023-1707.
Using the CVSS v3.1 standard, the company determined a severity level of 9.1 out of 10 and adds that exploiting it might result in information disclosure.
Despite the excellent score, the exploitation scenario is constrained because the susceptible devices require IPsec to be enabled and FutureSmart firmware version 5.6 to be installed.
According to CVE-2023-1707, the following printer models are vulnerable:
M455 Color LaserJet from HP, 480-color HP Color LaserJet Enterprise MFP, Managed HP Color LaserJet E45028, Managed MFP for HP Color LaserJet E47528, E785dn, E78523, and E78528 are HP Color LaserJet Managed MFP models, HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, and HP Color LaserJet Managed MFP E78625/30/35. E87740/50/60/70, E87740/50/60/70, and E87740/50/60/70 HP Color LaserJet Managed Flow, M406 HP LaserJet Enterprise, M407 HP LaserJet Enterprise, Enterprise MFP M430 from HP, LaserJet Enterprise MFP M431 from HP, Managed HP LaserJet E40040, Managed MFP for HP LaserJet E42540
There isn’t a fix at this time, however, HP promises to deliver a firmware upgrade that fixes the problem in 90 days.