Skip to main content

HP Deskjet 2800 EUVDEUVD-2026-41895

| CVE-2026-13753 HIGH
2026-07-06 certcc GHSA-mmv4-jxh6-w9r5
7.5
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network GET (AV:N/AC:L/PR:N/UI:N) leaks Wi‑Fi credentials and device identity giving C:H; no write or availability impact makes I:N/A:N with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 06, 2026 - 20:52 vuln.today
CVSS changed
Jul 06, 2026 - 20:22 NVD
7.5 (HIGH)
CVE Published
Jul 06, 2026 - 18:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A missing authorization vulnerability exists in the embedded webserver of HP Deskjet 2800 Series Printers running firmware version <=TBP1CN2612AR. An unauthenticated attacker with network access can send GET requests to multiple exposed administrative API endpoints and retrieve sensitive configuration data such as plaintext Wi‑Fi Direct credentials, unique device identity information, and other administrative security state details. When accessed through the web interface, these setting pages explicitly require administrator credentials before sensitive information is displayed.

AnalysisAI

Information disclosure in HP Deskjet 2800 Series printers running firmware TBP1CN2612AR or earlier lets an unauthenticated attacker on the network read sensitive configuration - including plaintext Wi‑Fi Direct credentials, device identity, and administrative security state - by sending plain GET requests to administrative API endpoints. The same data is gated behind administrator login in the web UI, so these API endpoints bypass the product's own access-control model. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join printer LAN or Wi‑Fi Direct network
Delivery
Send unauthenticated GET to admin API endpoint
Exploit
Server returns config without authorization check
Execution
Harvest plaintext Wi‑Fi Direct credentials and identity
Impact
Reuse credentials to pivot on network

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to the HP Deskjet 2800's embedded webserver and the ability to issue plain HTTP GET requests to its administrative API endpoints - no credentials, no user interaction, and default configuration are sufficient (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5, High) is internally consistent with the description: a fully unauthenticated, low-complexity, network-reachable read of confidential data with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who joins the same LAN or the printer's Wi‑Fi Direct network - for example a guest on an office or home Wi‑Fi - sends unauthenticated GET requests to the printer's administrative API endpoints and receives its Wi‑Fi Direct passphrase and device identity in plaintext. With those credentials the attacker connects to the device and pivots toward further network reconnaissance. …
Remediation No vendor-released patch version is identified in the available data; the input specifies only the vulnerable ceiling (TBP1CN2612AR and earlier) with no fixed build, so consult the CERT/CC note at https://kb.cert.org/vuls/id/828543 and HP support for a firmware update and apply it once released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all HP Deskjet 2800 Series printers on your network and confirm firmware versions; segregate affected units to a dedicated management VLAN with restricted access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy