Hewlett-Packard disclosed a new vulnerability in its Support Assistant software, CVE-2022-38395. HP Support Assistant is HP's software that manages HP devices and provides services like BIOS and firmware updates, a view on device specifications, diagnostic testing, and more. The most important thing is that HP Support Assistant comes pre-installed on all HP devices, meaning in theory, all HP devices could be affected.
The vulnerability tracked as CVE-2022-38395 received a CVSS score of 8.2. The vulnerability is a privilege escalation that can occur when an attacker exploits a DLL hijacking vulnerability which elevates privilege when the HP Support Assistant launches Fusion, a component used to launch another one of HP's tools, HP Performance Tune-up.
Find Vulnerable Devices
To help with mitigating the risk of this vulnerability as soon as possible, we've created a report to list all HP Support Assistant installations along with details like the model, description, location, and more. This way you have an actionable list of devices that might require a patch.
We have noticed, that in more recent versions of HP Support Assistant, HP hasn't followed software best practices, which might cause an issue in the detection of the newer Support Assistant versions with Lansweeper. Therefore, if you notice newer versions aren't being detected, we recommend using the following report based on Lansweeper's File Property Scanning.