Printing Shellz: Critical bugs impacting 150 HP printer models patched


HP has patched critical flaws impacting approximately 150 printer models. 

Printers are usually connected to business networks — and potentially forgotten when it comes to security — so they can easily provide an avenue of attack. Highlighting this issue is PrintNightmare, CVE-2021-34481, a Windows Print Spooler service vulnerability that permits attackers to escalate privileges to system level, which was patched in August. In addition, HP patched a separate, 16-year-old privilege escalation driver flaw in July.

Also: Microsoft just revealed another Print Spooler bug

Now, researchers from F-Secure have documented “Printing Shellz,” a set of vulnerabilities impacting multifunction printers (MFPs). 

On Thursday, the research team said that their tests involved the HP MFP M725z. However, the vulnerabilities — dating back to 2013 — impact an estimated 150 products. These include models in the HP Color LaserJet Enterprise, HP LaserJet Enterprise, HP PageWide, HP OfficeJet Enterprise Color, and HP ScanJet Enterprise 8500 FN1 Document Capture Workstation ranges.

The first issue the researchers discovered was CVE-2021-39238. Assigned a CVSS severity score of 9.3, this potential buffer overflow issue could allow the creation of a “self-propagating network worm capable of independently spreading to other vulnerable MFPs on the same network,” according to

Read More: