CVE-2023-50733
Published: 21 January 2025
Summary
CVE-2023-50733 is a high-severity Improper Input Validation (CWE-20) vulnerability in Lexmark (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2023-50733 is a Server-Side Request Forgery (SSRF) vulnerability affecting the Web Services feature in newer Lexmark devices. Published on 2025-01-21, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-20 (Improper Input Validation) and CWE-918 (Server-Side Request Forgery).
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction. Exploitation enables high confidentiality impact across a changed scope, allowing remote adversaries to potentially trick the device into making unauthorized requests to internal or external resources.
Mitigation details are available in the Lexmark security advisory at https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-55489
Vulnerability details
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Web Services feature of newer Lexmark devices.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Web Services directly matches exploitation of an Internet-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the SSRF vulnerability by requiring timely remediation through firmware updates as specified in the Lexmark security advisory.
Addresses the core CWE-20 improper input validation by enforcing validation of inputs to the Web Services feature, preventing forged requests.
Enforces approved information flow policies to block unauthorized outbound requests to internal or external resources triggered by SSRF exploitation.