CVE-2018-17944

MEDIUM

Lexmark CX725h/CX820/CX825/CX860/XC4150/XC6152/XC8155/XC8160 Firmware - Unauthenticated LDAP/SMTP Credential Exposure

Title source: llm
STIX 2.1

Description

On certain Lexmark devices that communicate with an LDAP or SMTP server, a malicious administrator can discover LDAP or SMTP credentials by changing that server's hostname to one that they control, and then capturing the credentials that are sent there. This occurs because stored credentials are not automatically deleted upon that type of hostname change.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
http://support.lexmark.com/index?page=content&id=TE909

Scores

CVSS v3 4.9
EPSS 0.0089
EPSS Percentile 54.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (8)
lexmark/cx725h_firmware
lexmark/cx820_firmware
lexmark/cx825_firmware
lexmark/cx860_firmware
lexmark/xc4150_firmware
lexmark/xc6152_firmware
lexmark/xc8155_firmware
lexmark/xc8160_firmware
Published Mar 12, 2019
Tracked Since Feb 18, 2026