Researchers have uncovered vulnerabilities in Xerox Versalink C7025 Multifunction printers (MFPs) that could have enabled pass-back attacks. This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP’s configuration and cause the MFP device to send authentication credentials back to the malicious actor which could have been used to capture authentication data.
You can read the details here: https://www.rapid7.com/blog/post/2025/02/14/xerox-versalink-c7025-multifunction-printer-pass-back-attack-vulnerabilities-fixed/
Martin Jartelius, CISO at Outpost24 had this comment:
“While the vulnerabilities in the Xerox VersaLink C7025 printer are important to address, they do not pose a high risk in most corporate environments, as these printers are typically not accessible from the internet.
However, capturing authentication credentials could allow an attacker to move laterally within the organization, which becomes a concern if the network lacks proper segmentation.
The solution lies in strengthening security by restricting access to the printer’s administrative settings and ensuring the printer is configured correctly.
“The first step is to prevent unauthorized access by locking down the configuration page. Additionally, FTP and LDAP credentials both rely on plain-text protocols, which are outdated and vulnerable; even without changing any settings on the printer, a network tap could expose this information. To improve security, use authentication protocols that are inherently more secure and avoid using older protocols like FTP (defined in 1971) and LDAP (defined in 1997).
“The correct approach to mitigating these risks is universal, regardless of the printer model or software used: set a complex password for the admin account, avoid using Windows authentication accounts with elevated privileges (such as domain admin accounts for LDAP or scan-to-file SMB services), and prevent enabling the remote-control console for unauthenticated users. Implementing strong network security practices, including proper segmentation, will help protect critical systems and limit unnecessary connections between devices.”
Regardless of the risk, any organization that has one of these printers should take a look at this to get the update that addresses this issue. And they should do so ASAP as now that this is out there, threat actors are going to use it to pwn the unsuspecting.
UPDATE: Jim Routh, Chief Trust Officer at Saviynt adds this:
“Both of the vulnerabilities identified related to administering Xerox printers and obtaining administrator credentials (CVE 2024-12510 and CVE 2024-12511) are indicative of the preference of cyber criminals today to pursue the acquisition of user credentials as the preferred method of attack on enterprises. In this case, threat actors focus on the administration of multifunction printers connected to enterprise networks that also have internet connectivity for users and administrators. In certain configurations with LDAP, user credentials to Windows Active Directory can be harvested for criminal activity. Both vulnerabilities are dependent on specific enterprise configuration settings and the potential for exploitation will vary from enterprise to enterprise.
Reducing the need for credentials (passwordless options) is the most effective way to shrink this specific attack surface. Other methods include adjustments to configuration settings for LDAP and Windows device administration settings.”
Related
This entry was posted on February 18, 2025 at 12:31 pm and is filed under Commentary with tags Xerox. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Xerox Printer Vulnerability Could Enable Windows Active Directory Credentials Exploit
Researchers have uncovered vulnerabilities in Xerox Versalink C7025 Multifunction printers (MFPs) that could have enabled pass-back attacks. This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP’s configuration and cause the MFP device to send authentication credentials back to the malicious actor which could have been used to capture authentication data.
You can read the details here: https://www.rapid7.com/blog/post/2025/02/14/xerox-versalink-c7025-multifunction-printer-pass-back-attack-vulnerabilities-fixed/
Martin Jartelius, CISO at Outpost24 had this comment:
“While the vulnerabilities in the Xerox VersaLink C7025 printer are important to address, they do not pose a high risk in most corporate environments, as these printers are typically not accessible from the internet.
However, capturing authentication credentials could allow an attacker to move laterally within the organization, which becomes a concern if the network lacks proper segmentation.
The solution lies in strengthening security by restricting access to the printer’s administrative settings and ensuring the printer is configured correctly.
“The first step is to prevent unauthorized access by locking down the configuration page. Additionally, FTP and LDAP credentials both rely on plain-text protocols, which are outdated and vulnerable; even without changing any settings on the printer, a network tap could expose this information. To improve security, use authentication protocols that are inherently more secure and avoid using older protocols like FTP (defined in 1971) and LDAP (defined in 1997).
“The correct approach to mitigating these risks is universal, regardless of the printer model or software used: set a complex password for the admin account, avoid using Windows authentication accounts with elevated privileges (such as domain admin accounts for LDAP or scan-to-file SMB services), and prevent enabling the remote-control console for unauthenticated users. Implementing strong network security practices, including proper segmentation, will help protect critical systems and limit unnecessary connections between devices.”
Regardless of the risk, any organization that has one of these printers should take a look at this to get the update that addresses this issue. And they should do so ASAP as now that this is out there, threat actors are going to use it to pwn the unsuspecting.
UPDATE: Jim Routh, Chief Trust Officer at Saviynt adds this:
“Both of the vulnerabilities identified related to administering Xerox printers and obtaining administrator credentials (CVE 2024-12510 and CVE 2024-12511) are indicative of the preference of cyber criminals today to pursue the acquisition of user credentials as the preferred method of attack on enterprises. In this case, threat actors focus on the administration of multifunction printers connected to enterprise networks that also have internet connectivity for users and administrators. In certain configurations with LDAP, user credentials to Windows Active Directory can be harvested for criminal activity. Both vulnerabilities are dependent on specific enterprise configuration settings and the potential for exploitation will vary from enterprise to enterprise.
Reducing the need for credentials (passwordless options) is the most effective way to shrink this specific attack surface. Other methods include adjustments to configuration settings for LDAP and Windows device administration settings.”
Share this:
Like this:
Related
This entry was posted on February 18, 2025 at 12:31 pm and is filed under Commentary with tags Xerox. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.