New Xerox Printer Vulnerabilities Could Grant Attackers Full Control Over Windows Networks

A widely used Xerox VersaLink business printer contained two now-patched security vulnerabilities that could have allowed attackers to gain full access to an organization's Windows environment.

Credential Theft Through Pass-Back Attacks

Security researchers at Rapid7 discovered the vulnerabilities in firmware version 57.69.91 and earlier of the Xerox VersaLink C7025 multifunction printer (MFP). These flaws enabled pass-back attacks, a technique where attackers manipulate a printer’s settings to intercept user authentication credentials. If exploited, a hacker could have obtained Windows Active Directory credentials, potentially allowing lateral movement within the organization's network.

"Successful exploitation could lead to complete compromise of an organization’s Windows servers and file systems," said Deral Heiland, Principal Security Researcher at Rapid7.

The VersaLink C7025, part of Xerox’s ConnectKey-enabled multifunction printer lineup, is marketed for small and mid-sized businesses. Xerox highlights its built-in security features, but the recently identified vulnerabilities—CVE-2024-12510 (CVSS 6.7) and CVE-2024-12511 (CVSS 7.6)—could have bypassed these protections.

How the Exploit Works

The vulnerabilities allowed attackers to alter the printer’s Lightweight Directory Access Protocol (LDAP) or Server Message Block (SMB)/File Transfer Protocol (FTP) settings to intercept user credentials.

???? CVE-2024-12510 (LDAP Pass-Back Vulnerability)
An attacker could modify the LDAP server IP address in the printer’s settings, redirecting authentication requests to a malicious LDAP server. As a result, user credentials would be sent to the attacker instead of the legitimate corporate LDAP server.

???? CVE-2024-12511 (SMB/FTP Pass-Back Vulnerability)
A similar technique could be applied to the SMB or FTP scan functions. By changing the server’s IP address to an attacker-controlled system, authentication credentials used for scan-to-file services could be intercepted.

Why This Matters

Attackers could exploit these vulnerabilities remotely by accessing the printer through a web browser, especially if the default admin password was still in use. Additionally, SNMP queries could reveal whether the device was configured for LDAP services, making it easier for hackers to identify vulnerable targets.

Heiland warns that many organizations store Domain Admin credentials within printer LDAP settings, meaning an attacker could potentially gain complete control over an entire Windows environment. This access would allow them to infiltrate:

✔ Windows file services
✔ Email accounts
✔ Database systems
✔ Domain-level administrative controls

"If a privileged account is used for LDAP or SMB settings, an attacker could gain unrestricted access to the organization’s Windows infrastructure," Heiland cautioned.

An Attractive Target for Cybercriminals

While exploiting these vulnerabilities requires technical expertise, Jim Routh, Chief Trust Officer at Saviynt, emphasizes the severity of the risk.

"This type of attack is ideal for a cybercriminal—gaining access to Windows Active Directory where all administrator profiles and credentials reside," Routh said.

Cybersecurity threats related to printers have become more common, especially with the rise of hybrid and remote work models. A 2024 Quocirca study found that 67% of organizations had experienced a security incident related to printers, up from 61% the previous year.

Mitigation and Protection

✔ Update Firmware – Xerox has released patched firmware to fix these vulnerabilities. Organizations should update immediately.
✔ Strengthen Admin Security – Use complex passwords for admin accounts and avoid using privileged Windows authentication accounts (e.g., Domain Admin) for LDAP or scan-to-file SMB services.
✔ Restrict Remote Access – Disable unauthenticated remote control console access.
✔ Monitor Printer Configurations – Regularly review printer settings to detect unauthorized changes.

Despite growing risks, many organizations continue to underestimate printer-related security threats, making them an easy entry point for attackers. Taking proactive security measures is crucial to prevent future breaches.