CVE-2023-40239

high-risk

Published 2023-09-01

Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE attacks, leading to information disclosure. The fixed firmware version is LW80.*.P246, i.e., '*' indicates that the full version specification varies across product model family, but firmware level P246 (or higher) is required to remediate the vulnerability.

Do I need to act?

0.27% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

C2132 Firmware

Cs310 Firmware

Cs317 Firmware

Cs410 Firmware

Cs417 Firmware

Cs510 Firmware

Cs517 Firmware

Cx310 Firmware

Cx317 Firmware

Cx410 Firmware

Cx417 Firmware

Cx510 Firmware

Cx517 Firmware

M1140\+ Firmware

M1140 Firmware

M1145 Firmware

M3150De Firmware

M3150Dn Firmware

M5155 Firmware

M5163De Firmware

Affected Vendors

Lexmark

References (2)

Vendor Advisory https://publications.lexmark.com/publications/security-alerts/CVE-2023-40239.pdf

/ 100

high-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 29/34 · Critical