Server-Side Request Forgery (SSRF) (CVE-2025-9269)
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the embedded web server in various Lexmark devices.
Missing Authorization in Lexmark Cloud Services badge management (CVE-2025-4046)
A missing authorization vulnerability exists in the Lexmark Cloud Services badge management.
Information exposure vulnerability in the Lexmark Print Management Client (CVE-2025-4045)
An Exposure of Private Personal Information to an Unauthorized Actor vulnerability has been identified in the Lexmark Print Management Client.
XML External Entity Injection vulnerability (CVE-2025-4044)
An XML External Entity (XXE) injection vulnerability exists in various Lexmark printer driver packages.
Lexmark Security Advisory: Babuk2 Incident Notice March 11, 2025
On March 11, 2025, the Babuk2 threat actor group claimed to have executed a ransomware attack against Lexmark on its dark web leak site. Lexmark’s cybersecurity team promptly initiated an investigation into this claim.
As of March 14, 2025, we have found no evidence to support the presence of ransomware in our environment.
Embedded Web Server Path Traversal and Concurrent Execution vulnerabilities (CVE-2025-1127)
A combination Path Traversal and Concurrent Execution vulnerability exists within the embedded web server in various Lexmark devices.
Postscript integer overflow vulnerability (CVE-2024-11347)
An integer overflow vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Postscript type confusion vulnerability (CVE-2024-11346)
A type confusion vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Postscript heap-based memory vulnerability (CVE-2024-11345)
A heap-based memory vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Postscript type confusion vulnerability (CVE-2024-11344)
A type confusion vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Reliance on Untrusted Inputs vulnerability in the Lexmark Print Management Client (CVE-2025-1126)
A Reliance on Untrusted Inputs in a Security Decision vulnerability has been identified in the Lexmark Print Management Client.
A Server-Side Request Forgery (SSRF) vulnerability exists in newer Lexmark devices (CVE-2023-50733)
A Server-Side Request Forgery (SSRF) vulnerability exists in newer Lexmark devices.
Buffer Overflow Vulnerability (CVE-2023-50739)
A buffer overflow vulnerability has been identified in the Internet Printing Protocol (IPP) in various Lexmark devices.
Firmware Downgrade Prevention Vulnerability (CVE-2023-50738)
A firmware downgrade prevention vulnerability has been identified in newer Lexmark devices.
Postscript Buffer Overflow (CVE-2023-50734)
A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Postscript Heap Corruption (CVE-2023-50735)
A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Postscript Memory Corruption (CVE-2023-50736)
A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Input Validation Vulnerability (CVE-2023-50737)
An input validation vulnerability in the SE Menu has been identified in Lexmark devices.
XML external entity vulnerability (CVE-2023-40239)
An XML external entity (XXE) vulnerability exists in older Lexmark devices.
Postscript Buffer Overflow (type confusion) (CVE-2023-26063)
A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Postscript Buffer Overflow (out of bounds write) (CVE-2023-26064)
A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Postscript Buffer Overflow (integer overflow) (CVE-2023-26065)
A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Postscript Buffer Overflow (improper stack validation) (CVE-2023-26066)
A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
Input validation vulnerability (CVE-2023-26067)
An input validation vulnerability which allows an attacker who has already compromised an affected Lexmark device to escalate privileges.
Embedded Web Server input sanitization vulnerability (CVE-2023-26068)
The embedded web server fails to properly sanitize input data which can lead to remote code execution.
Web API input validation vulnerability (CVE-2023-26069)
A web API input validation vulnerability in newer Lexmark devices.
SNMP input validation vulnerability (CVE-2023-26070)
An input validation vulnerability in SNMP in various Lexmark devices.
Account Lockout bypass (CVE-2023-22960)
This vulnerability allows an attacker to bypass protections on the device that protect local accounts against brute-force guessing attacks.
Server Side Request Forgery (CVE-2023-23560)
A Server-Side Request Forgery (SSRF) vulnerability exists in newer Lexmark devices.
jQuery vulnerability (CVE-2019-11358)
jQuery contains vulnerability that can lead to a denial of service, remote code execution, or property injection
Compromised device remains vulnerable after firmware update (CVE-2022-29850)
An attacker who has already compromised an affected Lexmark device can maintain persistence across reboots.
SpringShell (and/or Spring4Shell) vulnerabilities (CVE-2022-22965, CVE-2022-22963)
Lexmark hardware and software products are not impacted by the SpringShell vulnerability.
Initial setup menus apply insufficient permissions (CVE-2022-24935)
The initial admin account setup wizard on Lexmark devices allows unauthenticated access to the “Firmware Updates” feature.
Postscript Buffer overflow (CVE-2021-44738)
A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
PJL directory traversal vulnerability (CVE-2021-44737)
Various Lexmark devices have a directory traversal vulnerability that can be leveraged to overwrite internal configuration files.
Initial setup menus apply insufficient permissions (CVE-2021-44736)
The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the “out of service erase” feature.
Embedded web server command injection vulnerability (CVE-2021-44735)
The embedded web server in various Lexmark devices contains a command injection vulnerability.
Embedded web server input sanitization vulnerability (CVE-2021-44734)
The embedded web server in Lexmark devices fails to properly sanitize input data which can lead to remote code execution on the device.
Apache Log4j Vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105)
This document lists Lexmark products that may be impacted by the Log4j vulnerability. Any product not listed is still under review for impact.
Lexmark Security Advisory: Local Escalation of Privilege in the Lexmark Universal Print Driver (CVE-2021-35449)
The Lexmark Universal Print Driver contains a local escalation of privilege vulnerability.
Lexmark Security Advisory: Unquoted Service Path in Lexmark Printer Software G2, G3 and G4 Installation Packages (CVE-2021-35469)
The Lexmark Printer Software G2, G3 and G4 Installation Packages have a local escalation of privilege vulnerability due to a registry entry that has an unquoted service path.
Lexmark Security Advisory: Security jumper race condition in the MX6500 (CVE-2020-35546)
The access control settings on a MX6500 may reset during a power on or reboot.
Lexmark Security Advisory: Wifi Chip Driver Vulnerability (CVE-2019-14816)
A vulnerability was found in the WiFi chip driver used in Lexmark device.
Lexmark Security Advisory: Cross Site Request Forgery Vulnerability (CVE-2020-13481)
A stored cross site scripting vulnerability has been identified in Lexmark devices.
Lexmark Security Advisory: Cross Site Request Forgery Vulnerability (CVE-2020-10095)
Lexmark devices' embedded web server contains a cross site request forgery attack vulnerability that allows devices configuration to be altered without authorization.
Lexmark Security Advisory: TLS Protocol Vulnerability (CVE-2019-1559)
TLS Padding Oracle vulnerability in Lexmark devices.
Lexmark Security Advisory: Stored Cross Site Scripting Vulnerabilities (CVE-2020-10093, CVE-2020-10094)
A couple of stored cross site scripting vulnerabilities have been identified on older Lexmark devices.