38
CVEs
4
Critical
15
High
0
KEV
5
PoC
17
Unpatched C/H
21.1%
Patch Rate
1.9%
Avg EPSS
Severity Breakdown
CRITICAL
4
HIGH
15
MEDIUM
19
LOW
0
Monthly CVE Trend
Affected Products (30)
Linux Kernel
8
PHP
4
Virtual Appliance Host
4
Virtual Appliance Application
4
Autopass License Server
3
Command Injection
3
Debian Linux
3
7Kw75A Firmware
2
4Ra85F Firmware
2
7Kw63A Firmware
2
7Kw50A Firmware
2
4Ra89A Firmware
2
Stack Overflow
2
4Ra85A Firmware
2
499M8A Firmware
2
W1Y43A Firmware
2
5Hh73A Firmware
2
Futuresmart 3
2
W1A66A Firmware
2
W1A56A Firmware
2
7Kw76A Firmware
2
4Ra82E Firmware
2
W1Y45A Firmware
2
4Ra87F Firmware
2
W1A47A Firmware
2
499M7A Firmware
2
759V0E Firmware
2
499Q5F Firmware
2
759V1F Firmware
2
4Ra86F Firmware
2
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2024-51978 | Certain devices expose serial numbers via HTTP/HTTPS/IPP and SNMP that can be used to generate the default administrator password. An unauthenticated attacker who discovers the serial number can calculate the admin password and gain full administrative control of the device without brute force. | CRITICAL | 9.8 | 48.3% | 117 |
PoC
No patch
|
| CVE-2025-26506 | Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers may potentially be vulnerable to Remote Code Execution and Elevation of Privilege when processing a PostScript print. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available. | CRITICAL | 9.2 | 6.1% | 52 |
No patch
|
| CVE-2025-26508 | Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers may potentially be vulnerable to Remote Code Execution and Elevation of Privilege when processing a PostScript print. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available. | HIGH | 8.3 | 6.1% | 48 |
No patch
|
| CVE-2025-1268 | An out-of-bounds write vulnerability exists in the EMF Recode processing functionality of multiple Canon printer drivers, allowing remote attackers to execute arbitrary code or crash the system without authentication. The vulnerability affects a wide range of Canon's Generic Plus and standard printer drivers (PCL6, UFR II, LIPS4, LIPSLX, PS, FAX, CARPS2, and PDF drivers) and has a critical CVSS score of 9.4. With an EPSS score of 0.44% (63rd percentile), the vulnerability shows moderate real-world exploitation likelihood, though no active exploitation or public proof-of-concept has been reported. | CRITICAL | 9.4 | 0.4% | 47 |
No patch
|
| CVE-2025-1003 | A potential vulnerability has been identified in HP Anyware Agent for Linux which might allow for authentication bypass which may result in escalation of privilege. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available. | HIGH | 8.5 | 0.0% | 43 |
No patch
|
| CVE-2024-51768 | CVE-2024-51768 is a remote code execution vulnerability in HPE AutoPass License Server (APLS) versions prior to 9.17, stemming from unsafe deserialization in the embedded HSQLDB database library. An authenticated attacker with local network access can execute arbitrary code with the privileges of the APLS service, potentially leading to complete system compromise. The vulnerability has a CVSS score of 8.0 and represents a significant risk to organizations using affected APLS versions, particularly given the authentication requirement is modest (PR:L) and the attack complexity is low. | HIGH | 8.0 | 0.4% | 40 |
No patch
|
| CVE-2025-43026 | Local privilege escalation vulnerability in HP Support Assistant versions before 9.44.18.0 that allows a local attacker with limited user privileges to write arbitrary files and escalate to higher privilege levels without user interaction. The vulnerability carries a CVSS score of 7.8 (high severity) and exploits improper file permission handling in the support application; while KEV status and active exploitation data are not provided in the source material, the low attack complexity and local attack vector suggest this is a realistic threat for systems running vulnerable versions. | HIGH | 7.8 | 0.0% | 39 |
No patch
|
| CVE-2024-51982 | CVE-2024-51982 is a denial-of-service vulnerability affecting network-connected printers and multifunction devices that expose the Printer Job Language (PJL) interface on TCP port 9100. An unauthenticated remote attacker can send a malformed PJL command with an invalid FORMLINES variable to crash the device repeatedly, causing service disruption without authentication or user interaction. The CVSS 7.5 score reflects the high availability impact, and while specific KEV/POC data was not provided in the source material, the straightforward nature of the exploit (malformed input causing crash) suggests practical exploitability. | HIGH | 7.5 | 0.6% | 38 |
No patch
|
| CVE-2025-26507 | Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers may potentially be vulnerable to Remote Code Execution and Elevation of Privilege when processing a PostScript print. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available. | MEDIUM | 6.3 | 6.1% | 38 |
No patch
|
| CVE-2024-51769 | CVE-2024-51769 is an information disclosure vulnerability in HPE AutoPass License Server (APLS) versions prior to 9.17 that allows unauthenticated network attackers to access sensitive information without requiring user interaction. The vulnerability has a CVSS 3.1 score of 7.5 with a high confidentiality impact (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), making it a significant risk for organizations relying on APLS for license management across their HPE infrastructure. | HIGH | 7.5 | 0.1% | 38 |
No patch
|
| CVE-2024-51770 | CVE-2024-51770 is an information disclosure vulnerability in HPE AutoPass License Server (APLS) versions prior to 9.17 that allows unauthenticated remote attackers to access sensitive information over the network. The vulnerability has a CVSS score of 7.5 with high confidentiality impact, enabling attackers to extract confidential data without requiring authentication, special privileges, or user interaction. The network-accessible nature of this information disclosure makes it a significant risk for organizations running vulnerable APLS versions. | HIGH | 7.5 | 0.1% | 38 |
No patch
|
| CVE-2025-37165 | router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor is affected by information exposure (CVSS 7.5). | HIGH | 7.5 | 0.0% | 38 |
No patch
|
| CVE-2024-5477 | A potential security vulnerability has been identified in the System BIOS for some HP PC products which may allow escalation of privilege, arbitrary code execution, denial of service, or information. Rated high severity (CVSS 7.3), this vulnerability is no authentication required. No vendor patch available. | HIGH | 7.3 | 0.0% | 37 |
No patch
|
| CVE-2025-37091 | Command injection remote code execution vulnerability in HPE StoreOnce Software that allows authenticated attackers with high privileges to execute arbitrary commands on affected systems. The vulnerability has a CVSS score of 7.2 (high severity) and requires authenticated access but no user interaction. Given the command injection nature (CWE-77) and network attack vector, this poses significant risk to organizations running vulnerable HPE StoreOnce deployments, particularly if KEV status or active exploitation is confirmed. | HIGH | 7.2 | 0.4% | 36 |
No patch
|
| CVE-2025-71101 | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. | HIGH | 7.1 | 0.0% | 36 |
|