CVE-2023-26067

HIGH EXPLOITED NUCLEI

Lexmark <2023-02-19 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2023-26067 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including horizon3ai, James Horseman, Zach Hanley, jheysel-r7, including a Metasploit module exploits/linux/http/lexmark_faxtrace_settings. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-26067, targeting a command injection vulnerability in the fax_change_faxtrace_settings CGI endpoint. The exploit includes blind command execution, credential dumping, and a custom HTTP server for exfiltration.

Description

Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 1 of 4).

Exploits (2)

nomisec WORKING POC 28 stars

by horizon3ai · remote

https://github.com/horizon3ai/CVE-2023-26067

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-26067, targeting a command injection vulnerability in the fax_change_faxtrace_settings CGI endpoint. The exploit includes blind command execution, credential dumping, and a custom HTTP server for exfiltration.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown (likely a fax-related web application)

No auth needed

Prerequisites: Network access to the target web application · Python environment with required libraries

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by James Horseman, Zach Hanley, jheysel-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/lexmark_faxtrace_settings.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in Lexmark embedded web servers via the `/cgi-bin/fax_change_faxtrace_settings` endpoint, allowing arbitrary command execution through unsanitized input in the `FT_Custom_lbtrace` parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Lexmark embedded web server (devices configured without an admin user)

No auth needed

Prerequisites: Target device must have been set up with 'Set up Later' for admin user creation · Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Lexmark Printers - Command Injection

HIGHVERIFIEDby DhiyaneshDK

Shodan: Server: Lexmark_Web_Server || server: lexmark_web_server

References (3)

Core 3

Core References

Vendor Advisory

https://publications.lexmark.com/publications/security-alerts/CVE-2023-26067.pdf

Vendor Advisory

https://support.lexmark.com/alerts/

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/174763/Lexmark-Device-Embedded-Web-Server-Remote-Code-Execution.html

Scores

CVSS v3 8.1

EPSS 0.3784

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2023-12-04

CWE

CWE-20

Status published

Products (26)

lexmark/cslbl_firmware < cslbl.081.232

lexmark/cslbn_firmware < cslbn.081.232

lexmark/csnzj_firmware < csnzj.081.232

lexmark/cstat_firmware < cstat.081.233

lexmark/cstmh_firmware < cstmh.081.233

lexmark/cstpc_firmware < cstpc.081.232

lexmark/cxlbl_firmware < cxlbl.081.232

lexmark/cxlbn_firmware < cxlbn.081.232

lexmark/cxnzj_firmware < cxnzj.081.232

lexmark/cxtat_firmware < cxtat.081.233

... and 16 more

Published Apr 10, 2023

Tracked Since Feb 18, 2026