CERT/CC disclosed a missing authorization flaw, CVE-2026-13753, in HP DeskJet 2800 Series printers running firmware TBP1CN2612AR or earlier on July 6, 2026. HP Inc. (formerly Hewlett-Packard) has not shipped a fix.
Quick Summary – TLDR:
- CERT/CC disclosed CVE-2026-13753, a missing authorization vulnerability in HP DeskJet 2800 Series printers on July 6, 2026.
- The flaw lets unauthenticated attackers send direct GET requests to the printer’s backend API endpoints and pull data reserved for administrators.
- Exposed data includes the Wi-Fi Direct SSID and plaintext passphrase, SNMP configuration, serial numbers, service identifiers, and cloud registration metadata.
- CERT/CC said it was unable to reach HP to coordinate the disclosure, so no firmware patch is available.
- The flaw was discovered and reported by researcher Nguyễn Tiến Dũng, credited in the CERT/CC note written by analyst Molly Jaconski.
What Happened?
The vulnerability sits in the printer’s web-based management interface, which normally requires administrator credentials before showing Wi-Fi Direct settings, SNMP configuration, or device security options. According to the CERT/CC Vulnerability Note VU#828543, that authorization check only exists in the browser layer, a distinct failure mode from the router and IoT gaps.
The backend API endpoints that serve that same data do not validate session state or authentication at all, a pattern that fits the broader rise in API Security Breach. This information is freely disclosed even though the corresponding web interface pages correctly enforce authentication, indicating an authorization flaw in the API layer. Anyone who can reach the printer’s IP address on the network, no login required, can query those endpoints directly and pull the same administrative data a logged-in admin would see.
The exposure is not cosmetic. A remote attacker with network access can gain unauthorized wireless access, perform reconnaissance on network or cloud integrations, impersonate the device, or facilitate further compromise of the printing environment. A leaked Wi-Fi Direct passphrase hands an attacker a working credential for a wireless segment.
The serial numbers and cloud registration metadata build a device fingerprint useful for impersonation or follow-on attacks elsewhere on the network.
Printers rarely sit behind the same monitoring as laptops or servers. An endpoint-detection tool watches processes and logins; it does not watch a budget inkjet printer quietly answering unauthenticated API calls. That makes an exposed device a low-friction reconnaissance point rather than the final target, and the credential leak is valuable precisely because almost nobody is checking that traffic.
HP DeskJet 2800 printer zero-day flaw leaks Wi-Fi credentials#HP #printer #DataLeakhttps://t.co/nDrceCwnpc
— CyberInsider (@CyberInsidercom) July 7, 2026
Uncoordinated Disclosure, No Patch Timeline
Most vendor vulnerabilities reach the public alongside a fix. This one did not. CERT/CC states it was unable to reach HP to coordinate the vulnerability, so a firmware patch is not yet available.
That leaves affected owners with mitigation, not remediation, for an unknown window. CERT/CC’s recommended mitigations are placing the printer on a trusted or isolated network segment, disabling Wi-Fi Direct if not required, restricting or disabling SNMP access, and using firewall or access-control list (ACL) rules to block untrusted hosts from the printer’s management ports.
Those mitigations are sound advice for an enterprise network with a security team to implement them. This printer line is a budget consumer and home-office product, sold into exactly the households and small offices least likely to run VLAN segmentation or firewall ACLs on their home router.
For most owners, the realistic version of CERT/CC’s guidance narrows to two steps: turn off Wi-Fi Direct if it is not in daily use, and keep the printer off any network shared with untrusted devices, including a guest network or a public hotspot.
A Recurring Bug Class
The printer’s browser interface correctly enforces the administrator login while the backend API serving the same data does not check authentication at all, a gap between what the visible UI enforces and what the underlying service allows, commonly called broken function-level authorization. The same pattern recurs across routers, NAS boxes, and other IoT devices pairing a browser admin panel with a thin API.
What’s Next?
CERT/CC’s note carries no patch timeline alongside its confirmation that no firmware patch is available. CERT/CC also recommends disabling discovery or cloud service features that are not needed, which shrinks the printer’s exposed surface beyond the network-segmentation steps above. Affected owners should check the printer’s update function or HP’s support site periodically for a firmware release addressing the flaw and treat the mitigations above as a stopgap until HP ships firmware, not a permanent fix.
SQ Magazine’s Takeaway
An unpatched vulnerability from a major printer vendor is unusual on its own, especially a one that shipped without any vendor coordination at all is rarer still. CERT/CC’s language, that it was unable to reach HP, points to a breakdown in the standard responsible disclosure handoff rather than a disputed technical finding, and it leaves defenders with mitigation as the only lever until HP responds. That is a materially worse position than a disclosed-with-patch CVE, where the fix date sets an end to the exposure window. But here, the window stays open indefinitely.
The sharper problem is who owns this device class. Enterprise teams can act on network segmentation and ACL guidance within an afternoon; this printer line mostly lives in homes and small offices that have neither.
That gap means the device most exposed to the bug is also the one least likely to get fixed by policy. Disabling Wi-Fi Direct and keeping the printer off shared networks is not a permanent fix, but for most owners it is the only option available.