Cyber Resilience

CVE-2020-35546

Critical

Published: 19 February 2025

Published
19 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0010 27.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-35546 is a critical-severity Improper Access Control (CWE-284) vulnerability in Lexmark MX6500 LW75 (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-35546 is an Incorrect Access Control vulnerability (CWE-284) affecting Lexmark MX6500 LW75.JD.P296 and previous devices. The flaw stems from improper implementation in the access control settings, enabling unauthorized actions despite configured restrictions.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating exploitation is possible remotely over the network by unauthenticated attackers with low complexity and no user interaction. Attackers can achieve high confidentiality and integrity impacts, such as accessing or modifying sensitive data and configurations, while availability remains unaffected.

Lexmark advisories address mitigation through their support portal at http://support.lexmark.com and a dedicated security alert PDF at https://publications.lexmark.com/publications/security-alerts/CVE-2020-35546.pdf, which security practitioners should review for patching guidance and workarounds.

EU & UK References

Vulnerability details

Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated access control bypass on a network-exposed printer service matches exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284
CVE-2026-46822Shared CWE-284
CVE-2024-37566Shared CWE-284
CVE-2026-30689Shared CWE-284

Affected Assets

Lexmark
MX6500 LW75
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires systems to enforce approved authorizations for access, directly countering the improper access control implementation that allows unauthorized actions despite configured restrictions.

prevent

SI-2 mandates identification, reporting, and timely remediation of system flaws, enabling patching of this specific access control vulnerability as provided in Lexmark advisories.

prevent

AC-6 enforces least privilege to restrict access to only necessary functions, partially mitigating unauthorized data access and modification even with flawed enforcement.

References