Critical Wormable Security Flaw Found in Several HP Printer Models (10th December 2021)

Ref# AL2021_54 | Date: Dec 10th 2021


Multiple security flaws affecting 150 different HP Inc multifunction printers (MFPs) were disclosed on Tuesday 23rd November 2021, by cybersecurity researchers, which could be exploited by an adversary to take control of vulnerable devices, steal sensitive information, and infiltrate enterprise networks to launch other attacks.


F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev found and reported the two flaws on April 29, 2021, causing HP to deliver patches earlier this month for the below.

  • CVE-2021-39237 (CVSS: 7.1) – A vulnerability that affects HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.

  • CVE-2021-39238 is a critical vulnerability that affects a large number of computers (CVSS score: 9.3) – A buffer overflow vulnerability has been discovered in some HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed printers.

    How it works

  • According to Hirvonen and Bolshev, the weaknesses exist in the unit”s communications board and font parser. “They can be used by an attacker to achieve code execution rights, with the former requiring physical access and the latter being done remotely. A threat actor can use a successful attack to accomplish a variety of goals, such as stealing information or utilizing the hacked equipment as a launchpad for future operations against an organization.”

    The severe threat ranking for CVE-2021-39238 comes from the fact that the flaw is wormable, which means it might be used to spread to other MFPs on a compromised network.

    In a hypothetical attack scenario, an exploit for font-parsing weaknesses may be inserted in a malicious PDF document, and the victim could then be socially engineered into printing the file. Alternatively, a victim organization employee could be persuaded to visit a rogue website, which would then send the exploit to the vulnerable MFP straight through the web browser in a cross-site printing attack.

“The website would automatically print a document on the vulnerable MFP using a maliciously generated typeface, allowing the attacker code execution access on the device,” the researchers explained.


  1. Installtheupdatesassoonastheyareavailable,

  2. Enforce network segmentation and disable printing from USB drives by default.

  3. Ensure device firmware is updated.

  4. Secure mobile printing employees who are on the go may accidentally

    expose data or leave printouts unsecured.

  5. Securethenetworktheprinterisonunauthorizeduserscanaccessthe

    device via unsecured USB or network ports via unsecured protocols.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Critical Wormable Security Flaw Found in Several HP Printer Models.pdf