CVE-2021-44736
published 2022-01-20CVE-2021-44736: The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the “out of service erase” feature.
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.43%
82.2th percentile
The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the “out of service erase” feature.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP requests to /cgi-bin/sniffcapture_post on Lexmark devices, particularly those containing shell metacharacters in the -F (filter) parameter, which is passed unsanitized to eval. ↗
- →The shell command injection vulnerability (CVE-2021-44735) is exploitable only after CVE-2021-44736 resets authentication; detect the 'out of service erase' / initial setup wizard being triggered from an unauthenticated session as a precursor indicator. ↗
- →The web process runs as uid=985(httpd); privilege escalation to root is achieved via the SUID binary collect-selogs-wrapper which calls execv() without sanitizing $PATH. Alert on unexpected processes spawned by httpd (uid 985) with elevated privileges. ↗
- →The sniffcapture_post CGI script passes the unsanitized 'filter' field (supplied via -F argument) into an eval call; network signatures should look for POST bodies containing shell injection payloads in the -F parameter to this endpoint. ↗
- →Affected firmware versions are CXLBL.075.272 (2021-07-29) and CXLBL.075.281 (2021-10-14) on Lexmark MC3224; inventory devices running these versions as they are exploitable. ↗
- ·CVE-2021-44736 (Authentication Reset) is NOT fixed by the firmware update CXLBL.076.294; users must implement a separate workaround per the Lexmark Security Alert. The firmware update only addresses CVE-2021-44735 (Shell Command Injection). ↗
- ·The two CVEs form a chained exploit: CVE-2021-44736 must be triggered first to reset authentication and expose the web interface, before CVE-2021-44735 (command injection via sniffcapture_post) can be exploited by an unauthenticated attacker. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Crowdstrike
For the Common Good: How to Compromise a Printer in Three Simple Steps
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] For the Common Good: How to Compromise a Printer in Three Simple Steps
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
For the Common Good: How to Compromise a Printer in Three Simple Steps
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] For the Common Good: How to Compromise a Printer in Three Simple Steps
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2022-01-20
Published