What are the most critical vulnerabilities reported by Lexmark?

Two critical vulnerabilities have been identified: CVE-2025-1126 (CVSS 9.3) in the Lexmark Print Management Client allowing code execution with SYSTEM/root privileges, and CVE-2024-11348 (CVSS 9.1) enabling remote code execution through path traversal in the embedded web server.

What other vulnerabilities were discovered?

Four additional high-severity vulnerabilities (all CVSS 7.3) were found: CVE-2024-11347 (Integer overflow), CVE-2024-11346 (Type confusion), CVE-2024-11345 (Heap-based memory), and CVE-2024-11344 (Type confusion).

Which Lexmark products are affected by these vulnerabilities?

The vulnerabilities affect Lexmark Print Management Client (LPMC) versions 3.0.0 to 3.4.0 and various printer models across Windows, macOS, and Linux platforms.

What solutions has Lexmark provided to address these vulnerabilities?

Lexmark advises users to update LPMC to version 3.5.0 or newer, apply the latest firmware updates for affected printer models, and set a password for the embedded web server to prevent unauthorized access.

Advisory

Lexmark fixes multiple flaws in printer software and firmware, at least two critical

published: Feb. 14, 2025

Take action: If you are using Lexmark printers or Lexmark Print Management Client, make sure they are not exposed to the internet, then review the advisories - at least for the critical flaws. Make sure you password protect the embedded web server of the printers, and then patch quickly.

Learn More

Lexmark is reporting multiple critical and high-severity security vulnerabilities affecting their printer software, firmware, and embedded web server components. These vulnerabilities impact various printer models and the Lexmark Print Management Client (LPMC) software across Windows, macOS, and Linux platforms.

CVE-2025-1126 (CVSS score 9.3) - A critical vulnerability in the Lexmark Print Management Client that allows attackers to bypass protection mechanisms and execute code with SYSTEM/root privileges or delete folders requiring elevated permissions
CVE-2024-11348 (CVSS score 9.1) - A critical path traversal and concurrent execution vulnerability in the embedded web server that enables remote code execution
CVE-2024-11347 (CVSS score 7.3) - Integer overflow vulnerability
CVE-2024-11346 (CVSS score 7.3) - Type confusion vulnerability
CVE-2024-11345 (CVSS score 7.3) - Heap-based memory vulnerability
CVE-2024-11344 (CVSS score 7.3) - Type confusion vulnerability

Affected products include Lexmark Print Management Client (LPMC) versions 3.0.0 to 3.4.0, Various printer models (specific model list available in Lexmark's security notices)

Lexmark advises users to update LPMC to version 3.5.0 or newer. For printer firmware to apply the latest firmware updates available for affected models. For embedded web server vulnerability to set a password to prevent unauthorized access as an additional security measure

Lexmark fixes multiple flaws in printer software and firmware, at least two critical