
HP DeskJet 2800 series printers are affected by a newly disclosed vulnerability that allows anyone on the same network to access sensitive configuration data without authentication.
The flaw, tracked as CVE-2026-13753, affects devices running firmware version TBP1CN2612AR or earlier, and no security update is currently available.
The vulnerability was disclosed by the CERT Coordination Center (CERT/CC) on July 6, 2026. It was discovered and reported by security researcher Nguyễn Tiến Dũng. According to CERT/CC, the issue stems from missing authorization checks in the printer's embedded web server, allowing unauthenticated requests to backend API endpoints that should be restricted to administrators.
The affected products are HP's DeskJet 2800 series consumer inkjet printers, which include a built-in web management interface for configuring wireless networking, Wi-Fi Direct, SNMP, and other administrative settings. While the browser interface correctly prompts for administrator credentials, the underlying API fails to enforce those same authorization checks.
An attacker with network access to a vulnerable printer can retrieve a range of sensitive information, including the printer's:
- Wi-Fi Direct SSID and plaintext password
- SNMP configuration
- Serial numbers
- Service identifiers
- Cloud registration metadata
- Information about the device's administrative security settings
According to CERT/CC, this information could be used to gain unauthorized wireless access, gather intelligence about the local network, impersonate the device, or support further attacks against the printing environment.
CERT/CC said it was unable to coordinate the disclosure with HP, meaning a firmware fix is not yet available.
Until HP releases an update, users should reduce their exposure by limiting access to the printer's web management interface. CERT/CC recommends placing the printer on a trusted or isolated network, disabling Wi-Fi Direct if it is not needed, restricting or disabling SNMP access, and using firewall or access control rules to prevent untrusted devices from reaching the printer's management ports. Unused discovery and cloud service features should also be disabled where possible.







Leave a Reply