CVE-2025-43018: HP LaserJet Pro Printers Vulnerable to Information Disclosure

This blog post discusses a recently discovered vulnerability, CVE-2025-43018, affecting certain HP LaserJet Pro printers. This flaw could allow unauthorized access to sensitive information stored within the printer's local address book. Read on to understand the details and learn how to mitigate the risk.

Vulnerability Details

• CVE ID: CVE-2025-43018
• Description: Certain HP LaserJet Pro printers are vulnerable to information disclosure when a non-authenticated user queries a device’s local address book. This means someone on the network, without needing a username or password, could potentially access names, email addresses, and other contact information stored on the printer.
• CVSS Score and Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, Base Score: 6.9 (Medium). This score indicates a medium level of severity. The vulnerability is network-exploitable (AV:N) with low complexity (AC:L) and requires no privileges or user interaction. While it impacts confidentiality (VC:L), it does not affect integrity or availability.
• Exploit Requirements: An attacker needs to be on the same network as the vulnerable HP LaserJet Pro printer. No authentication is required.
• Affected Vendor, Product, Version: HP LaserJet Pro printers (specific models not specified in provided data, consult HP advisory for details).
• CWE: CWE-200 - Information Exposure. This means the software unintentionally exposes sensitive information that can be accessed by unauthorized parties.

Timeline of Events

• 2025-07-30: CVE-2025-43018 Published.

Exploitability & Real-World Risk

The exploitability of this vulnerability is relatively high, as it requires no authentication. In a real-world scenario, an attacker could potentially scan a network for vulnerable HP LaserJet Pro printers and extract the address book information. This information could then be used for phishing attacks, spam campaigns, or even identity theft.

Recommendations

• Apply Available Patches: Check the HP support website for available firmware updates for your LaserJet Pro printer model.
• Network Segmentation: Isolate printers on a separate network segment to limit the potential impact of a breach.
• Access Control Lists (ACLs): Configure ACLs on your network devices to restrict access to the printer's management interface.
• Regularly Review Address Book: Ensure the address book contains only necessary contacts.

Technical Insight

The vulnerability likely stems from a lack of proper access control on the printer's web interface or API. An unauthenticated request to a specific endpoint allows retrieval of the address book data.

Credit to Researcher(s)

Credit to HP Product Security Response Team for discovering and reporting this vulnerability.

References

• HP Security Advisory

Tags

#CVE-2025-43018 #HPLaserJetPro #InformationDisclosure #PrinterSecurity #Vulnerability

Summary: CVE-2025-43018 describes an information disclosure vulnerability in HP LaserJet Pro printers. An unauthenticated user can query the printer's local address book, potentially exposing sensitive contact information. Apply patches and implement network segmentation to mitigate this risk.

CVE ID: CVE-2025-43018

Risk Analysis: Successful exploitation could lead to the disclosure of sensitive contact information, which could be used for phishing attacks or other malicious purposes. The impact is limited to confidentiality.

Recommendation: Apply the latest firmware updates from HP and implement network segmentation to protect vulnerable printers.

Timeline

• 2025-07-30: CVE-2025-43018 Published

References

• https://support.hp.com/us-en/document/ish_12807011-12807034-16/hpsbpi04040