CVE-2022-24935
Lexmark MC3224i Firmware Downgrade Remote Code Execution Vulnerability
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Lexmark products through 2022-02-10 have Incorrect Access Control.
Los productos de Lexmark versiones hasta 10-02-2022, presentan un Control de Acceso Incorrecto
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lexmark MC3224i printers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware upgrade feature. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.
*Credits:
Christopher Anastasio @mufinnnnnnn and Justin Taft @JustTaft
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-02-10 CVE Reserved
- 2022-04-28 CVE Published
- 2024-03-27 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lexmark.com | 2023-08-08 | |
| https://publications.lexmark.com/publications/security-alerts/CVE-2022-24935.pdf | 2023-08-08 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Lexmark Search vendor "Lexmark" | Lexmark Firmware Search vendor "Lexmark" for product "Lexmark Firmware" | <= 2022-02-10 Search vendor "Lexmark" for product "Lexmark Firmware" and version " <= 2022-02-10" | - |
Affected
| in | Lexmark Search vendor "Lexmark" | Lexmark Search vendor "Lexmark" for product "Lexmark" | - | - |
Safe
|