Critical Xerox Printer Vulnerability Exposes Enterprise Networks to Credential Theft
A newly discovered vulnerability in Xerox’s Versalink C7025 Multifunction Printers allows attackers to exploit pass-back attacks, capturing sensitive authentication data through LDAP, SMB, and FTP services. This flaw, affecting several Versalink models, could lead to credential theft and lateral movement within corporate networks. Xerox has released a firmware update to address the issue, but organizations are urged to implement additional security measures to protect against potential exploits.
Xerox Printer Vulnerability Exposes Enterprise Networks to Credential Theft
A significant cybersecurity vulnerability in Xerox's Versalink C7025 Multifunction Printers (MFPs) has been discovered, potentially compromising sensitive authentication data across corporate networks. Identified by Rapid7, this flaw allows attackers to exploit pass-back attacks, capturing authentication credentials via LDAP and SMB/FTP services, opening the door to lateral movement within enterprise infrastructures.
Exploitation Methods: The vulnerabilities, tracked as CVE-2024-12510 and CVE-2024-12511, affect multiple models of the Versalink series, including the 7020, 7025, and 7030. The issue arises when an attacker gains administrative access to the printer’s settings and manipulates the network configurations to redirect authentication requests to rogue servers. This enables attackers to capture sensitive data such as Active Directory credentials, SMB handshakes, and FTP login information.
For the LDAP vulnerability (CVE-2024-12510), attackers can modify the printer's LDAP server settings to reroute authentication requests to an attacker-controlled system, allowing them to capture clear-text credentials. Similarly, the SMB and FTP flaws (CVE-2024-12511) involve manipulating the device’s address book configuration, enabling attackers to intercept NetNTLMv2 handshakes and FTP credentials when printers perform scan-to-file operations.
Risks and Potential Impact: Once the credentials are captured, attackers can gain unauthorized access to critical systems, including Windows Active Directory servers, enabling lateral movement across a company’s network. The consequences can be severe, potentially leading to data breaches, unauthorized file access, and even full compromise of internal systems.
Organizations using these affected printers are urged to upgrade to the latest firmware version (57.75.53), which addresses the vulnerabilities. If patching cannot be immediately applied, experts recommend implementing strong administrative passwords, disabling remote control access for unauthenticated users, and avoiding the use of high-privilege accounts for LDAP or scan-to-file SMB services.
Preventative Measures: To reduce the risk of exploitation, Xerox advises companies to adopt network segmentation to isolate printers from critical infrastructure. Furthermore, restricting administrative access, monitoring for unusual traffic patterns in LDAP/SMB communications, and enforcing multi-factor authentication for printer management consoles can bolster defenses against this type of attack.
This vulnerability underscores the growing concerns about the security of Internet of Things (IoT) devices, which, while integral to business operations, are often inadequately protected against sophisticated cyber threats. Rapid7's Deral Heiland, who discovered the flaw, noted that printers, along with other IoT devices like cameras and sensors, often enjoy privileged network access without sufficient security controls, making them prime targets for malicious actors.
Conclusion: The Xerox Versalink C7025 vulnerability highlights a critical blind spot in many enterprise security strategies, particularly in the hybrid work era, where connected devices are deeply integrated into corporate networks. Organizations are urged to act swiftly by applying patches and taking additional security precautions to safeguard against these dangerous exploits.
