Cyber Resilience

CVE-2024-11346

High

Published: 13 February 2025

Published
13 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0004 12.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11346 is a high-severity Type Confusion (CWE-843) vulnerability in Lexmark International CX (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-11346 is a Type Confusion vulnerability (CWE-843: Access of Resource Using Incompatible Type) in the Postscript interpreter modules of Lexmark International printers, including CX, XC, CS, and related models. This flaw enables Resource Injection and affects firmware versions from 001.001:0 through 081.231, as well as ranges *.*.P001 through *.*.P233, *.*.P001 through *.*.P759, and *.*.P001 through *.*.P836. The vulnerability was published on 2025-02-13 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low barriers to exploitation.

Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, as it requires low complexity and maintains an unchanged scope. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to inject malicious resources via crafted Postscript inputs processed by the affected interpreter modules.

For mitigation details, refer to Lexmark's security advisories at https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html, which provide guidance on patches and workarounds for vulnerable devices.

EU & UK References

Vulnerability details

: Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Lexmark International CX, XC, CS, et. Al. (Postscript interpreter modules) allows Resource Injection.This issue affects CX, XC, CS, et. Al.: from 001.001:0 through 081.231, from *.*.P001 through *.*.P233, from…

more

*.*.P001 through *.*.P759, from *.*.P001 through *.*.P836.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated exploitation of Postscript interpreter in network-exposed printer firmware directly enables T1190 (Exploit Public-Facing Application) via crafted inputs.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24874Shared CWE-843
CVE-2024-11344Shared CWE-843
CVE-2025-65570Shared CWE-843
CVE-2025-47151Shared CWE-843
CVE-2025-70023Shared CWE-843
CVE-2026-25537Shared CWE-843
CVE-2025-53144Shared CWE-843
CVE-2026-40683Shared CWE-843
CVE-2026-21854Shared CWE-843
CVE-2025-13229Shared CWE-843

Affected Assets

Lexmark
International CX
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the type confusion vulnerability by identifying, prioritizing, and applying Lexmark firmware patches for affected Postscript interpreter modules.

prevent

Validates Postscript inputs to block crafted malicious inputs that exploit the type confusion for resource injection.

prevent

Implements memory protections like non-executable memory and ASLR to mitigate exploitation outcomes of the type confusion vulnerability.

References