Skip to main content

CISA issues update on HP Deskjet 2800 authorization bypass

HP Printers in the Deskjet 2800 Series running firmware version TBP1CN2612AR contain a missing authorization flaw. The issue permits unauthenticated access to the printer’s webserver API endpoints and enables remote access to sensitive configuration and security-related data normally restricted to administrative users.

The vulnerability is tracked as CVE-2026-13753. In affected firmware versions, authorization can be bypassed by sending direct, unauthenticated GET requests to multiple backend API endpoints. The endpoints return administrative configuration data without validating session state or authentication, including the Wi-Fi Direct SSID and plaintext passphrase, unique printer serial numbers and service IDs, and details about the device’s administrative password state. Although the corresponding web interface pages correctly enforce authentication, the disclosed data indicates an authorization flaw in the API layer. The issue exposes Wi-Fi credentials, management configuration details, and sensitive security data through the affected webserver API endpoints.

A remote attacker with network access to the printer can bypass the web interface’s authentication requirements and retrieve sensitive configuration data directly from backend APIs. Exposed information includes Wi-Fi Direct credentials, SNMP configuration details, device identity information, cloud service registration metadata, and other information involving the device’s administrative security state. The attacker could gain unauthorized wireless access, perform reconnaissance on network or cloud integrations, impersonate the device, or facilitate further compromise of the printing environment.

No firmware patch is available because HP was not reachable to coordinate the vulnerability. To limit risk, users are instructed to restrict network access to the printer’s web interface by placing the device on a trusted or isolated network segment, disable Wi‑Fi Direct if it is not required, and limit SNMP access to trusted systems or disable it entirely. The guidance also states that firewall or access-control list (ACL) rules should prevent untrusted hosts from reaching the printer’s management ports, and that discovery or cloud service features not needed should be disabled.

Thanks to Nguyễn Tiến Dũng for researching and reporting this vulnerability. The document was written by Molly Jaconski. CISA lists CVE-2026-13753, with a date public of 2026-07-06 and a date last updated of 2026-07-06 18:01 UTC, and specifies document revision 2.