CVE-2025-26508
Published: 14 February 2025
Summary
CVE-2025-26508 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Hp Futuresmart 5. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers are affected by CVE-2025-26508, a vulnerability that can lead to remote code execution and elevation of privilege during PostScript print job processing. The issue is tracked under CWE-787 and carries a CVSS 4.0 score of 8.3 with a network attack vector.
An unauthenticated attacker with network access can submit a crafted PostScript job to trigger the flaw, enabling arbitrary code execution on the printer and subsequent privilege escalation without user interaction.
The referenced HP advisory at https://support.hp.com/us-en/document/ish_11953771-11953793-16/hpsbpi04007 provides mitigation guidance and patch information for the affected models. EPSS for the CVE rose from lower values to a peak of 0.0609 on 2026-03-26 before receding to the current 0.0206, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4204
Vulnerability details
Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers may potentially be vulnerable to Remote Code Execution and Elevation of Privilege when processing a PostScript print job.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes unauthenticated remote code execution via a crafted PostScript print job sent to a network-exposed printer service, directly enabling exploitation of a public-facing application for initial access and arbitrary code execution on the device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the out-of-bounds write vulnerability by requiring timely application of vendor patches to affected HP printer firmware.
Prevents unauthenticated remote exploitation by enforcing boundary protections such as firewalls to block access to printer ports used for PostScript print jobs.
Addresses malformed PostScript inputs by requiring validation and error handling at printer input interfaces to block specially crafted print jobs.