cbcvebase.
CVE-2007-5208
published 2007-10-13

CVE-2007-5208: hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands…

PriorityP264high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
67.26%
99.2th percentile
hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianhplip< hplip 1.6.10-4.3 (bookworm)hplip 1.6.10-4.3 (bookworm)
hplinux_imaging_and_printing_project<= 2.7.10
hplinux_imaging_and_printing_project

Detection & IOCsextracted from sources · hover to see the quote

commandemail-from-address=x;${cmd};
filenamehpssd.py
processhpssd
  • Monitor network traffic to port 2207 (hpssd default config port) for messages containing 'msg=setalerts' with shell metacharacters (e.g., semicolons) in the 'email-from-address' field.
  • Detect exploitation attempt by inspecting hpssd protocol messages for 'msg=testemail' immediately following a 'setalerts' message with a suspicious 'email-from-address' value containing shell metacharacters.
  • Alert on hpssd/hpssd.py spawning unexpected child processes (e.g., shells or network tools), as the daemon runs with root privileges and the injected command executes in that context.
  • The exploit requires 'sendmail' to be present on the target; correlate hpssd process activity with unexpected sendmail invocations containing shell metacharacters in the from-address argument.
  • ·The hpssd daemon is configured to listen on port 2207 but actually binds to a dynamic/ephemeral port at runtime, making static port-based detection unreliable.
  • ·The daemon is localhost-only by default, so exploitation is limited to local or already-compromised network access; external network detections will not apply.

CVSS provenance

nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
osv7.6HIGH
vendor_debian7.6MEDIUM
vendor_redhat7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.