CVE-2020-35546
Published: 19 February 2025
Summary
CVE-2020-35546 is a critical-severity Improper Access Control (CWE-284) vulnerability in Lexmark MX6500 LW75 (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-35546 is an Incorrect Access Control vulnerability (CWE-284) affecting Lexmark MX6500 LW75.JD.P296 and previous devices. The flaw stems from improper implementation in the access control settings, enabling unauthorized actions despite configured restrictions.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating exploitation is possible remotely over the network by unauthenticated attackers with low complexity and no user interaction. Attackers can achieve high confidentiality and integrity impacts, such as accessing or modifying sensitive data and configurations, while availability remains unaffected.
Lexmark advisories address mitigation through their support portal at http://support.lexmark.com and a dedicated security alert PDF at https://publications.lexmark.com/publications/security-alerts/CVE-2020-35546.pdf, which security practitioners should review for patching guidance and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-23213
Vulnerability details
Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated access control bypass on a network-exposed printer service matches exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires systems to enforce approved authorizations for access, directly countering the improper access control implementation that allows unauthorized actions despite configured restrictions.
SI-2 mandates identification, reporting, and timely remediation of system flaws, enabling patching of this specific access control vulnerability as provided in Lexmark advisories.
AC-6 enforces least privilege to restrict access to only necessary functions, partially mitigating unauthorized data access and modification even with flawed enforcement.