Ask a security professional about their biggest concerns and they’ll mention endpoints, cloud configurations, and email. Ask them about printers and you might get a dismissive wave. That dismissiveness has cost organizations dearly. Network printers are fully-networked computing devices — with hard drives, web servers, administrative interfaces, and a history of catastrophic vulnerabilities — yet they are rarely included in patch management or security assessments.
Why Printers Are a Serious Attack Surface
Modern enterprise printers are embedded computers running custom operating systems. A typical multifunction printer includes:
- An internal web server for configuration (HTTP/HTTPS on port 80/443)
- PostScript and PJL language interpreters
- File system storage (often with a hard drive retaining printed documents)
- Network protocols: IPP, LPD, SMB, FTP, Telnet, SNMP
- Email and cloud connectivity features
- Administrative credentials that are almost never changed from defaults
This is not a peripheral device. It’s a networked server with decades-old protocols, default passwords, and an update cadence measured in years.
PRET: The Printer Exploitation Toolkit
In 2017, researcher Jens Müller published PRET (Printer Exploitation Toolkit), a tool demonstrating how printer languages themselves can be weaponized. PRET connects to printers via network or USB and communicates using PostScript, PJL (Printer Job Language), or PCL — languages printers use to receive and interpret print jobs.
Using PRET, an attacker can:
- Read the filesystem: Access stored print jobs, configuration files, and cached documents
- Write to the filesystem: Modify configuration or plant persistent files
- Capture print jobs: Intercept documents being printed across the network
- Trigger denial of service: Crash the printer or put it in an infinite loop
- Execute code: On vulnerable printers, achieve remote code execution within the printer’s OS
PRET is publicly available on GitHub. Any attacker with network access to a printer and basic Python skills can use it.
PJL Command Examples
PJL (Printer Job Language) was designed for legitimate printer management but exposes dangerous capabilities:
@PJL INFO VARIABLES # List all writable variables
@PJL FSDIRLIST NAME="0:/" # List the root filesystem
@PJL FSUPLOAD NAME="0:/etc/shadow" # Attempt to read sensitive files
These are not exploits in the traditional sense — they’re legitimate commands being used maliciously. The printer is doing exactly what it was designed to do.
Shodan and Exposed Printers
Shodan is a search engine that indexes internet-connected devices. A simple Shodan search for port:9100 "PJL" reveals thousands of printers directly exposed to the internet — no authentication required. Port 9100 is the raw printing port (RAW/JetDirect protocol), and devices on this port are often completely unprotected.
In 2018, a hacker called “TheHackerGiraffe” used Shodan to identify and exploit roughly 50,000 exposed printers, causing them to print a message promoting a YouTube channel. The attack was largely harmless but demonstrated the scale of exposure. A malicious actor could use the same access to intercept confidential documents, establish persistence, or pivot to the internal network.
How to check your organization’s exposure: Search Shodan for your organization’s IP ranges and look for printer-related ports (9100, 515, 631).
Credential Leakage via Print Servers
Enterprise printers integrated with Active Directory for authentication store or transmit network credentials. Vulnerabilities in this integration can leak:
- LDAP credentials: Printers that scan-to-email or scan-to-folder use LDAP to authenticate to the directory — these credentials are often stored in plaintext in the web interface configuration
- SMB credentials: Scan-to-folder features using Windows file shares store SMB credentials on the printer
- Admin interface credentials: Default usernames/passwords (
admin/admin,admin/1234) on the web management interface provide full device control
A compromised printer in a domain environment can become a pivot point into the broader network.
Firmware Vulnerabilities
Printer firmware vulnerabilities are routinely discovered and inconsistently patched. Notable examples include:
- HP FoxGlove/PrintNightmare (2021): While primarily a Windows Print Spooler vulnerability, it highlighted how deeply integrated printers are with Windows privilege escalation paths
- Lexmark vulnerabilities (2023): Multiple critical RCE vulnerabilities in Lexmark firmware affecting hundreds of printer models
- HP PageWide and LaserJet (2023): Authentication bypass vulnerabilities allowing unauthenticated admin access
The challenge with printer firmware is that unlike servers, printers are rarely on an automated patch schedule. Many organizations operate printers for 5–10 years on the original firmware.
Hardening Guide
| Action | Priority |
|---|---|
| Change all default credentials immediately | Critical |
| Disable unused protocols (Telnet, FTP, LPD, SNMP v1/v2) | Critical |
| Enable HTTPS only for the admin interface | Critical |
| Block direct internet access from printer IPs | Critical |
| Apply latest firmware updates | High |
| Enable access control lists to restrict who can print | High |
| Enable secure print (PIN release) for sensitive documents | High |
| Segment printers onto a dedicated VLAN | High |
| Enable logging and ship printer logs to SIEM | Medium |
| Sanitize hard drives before device disposal | Medium |
Network segmentation is particularly important. Printers should reside on a VLAN that can communicate with print servers but not directly with workstations or servers. This limits lateral movement opportunities if a printer is compromised.
What About Hard Drive Data?
Many enterprise multifunction printers include a hard drive that stores images of every document printed, scanned, or faxed. This data persists unless the drive is explicitly wiped. Before donating, selling, or returning a leased printer, ensure the hard drive is securely wiped using the manufacturer’s built-in secure erase function or by physically destroying the drive.
Investigative journalists have repeatedly purchased second-hand copiers and printers from hospitals, law firms, and government agencies — and recovered thousands of sensitive documents from the internal drives.
The printer sitting in your office corner is a network-attached computer running unpatched software, storing copies of confidential documents, and almost certainly configured with default credentials. Treat it accordingly.