Two vulnerabilities, CVE-2024-12510 and CVE-2024-12511, have been found in the Xerox VersaLink C7025 Multifunction Printer. Upon successful exploitation, bad actors can capture authentication credentials through pass-back attacks via lightweight directory access protocol (LDAP), server message block (SMB), and file transfer protocol (FTP) services. Continue reading this Cybersecurity Threat Advisory to discover the key to safeguarding your environment.
What is the threat?
These pass-back attacks exploit vulnerabilities enable malicious actors to modify the multi-function printer’s (MFP) configuration, causing the device to transmit authentication credentials back to the attacker. Details about these vulnerabilities are as follows:
- Pass-back attack via user’s address book – SMB / FTP CVE-2024-12511 (CVSS score: 7.6): An attacker can alter the user address book configuration to redirect SMB or FTP scan destinations to a system they control, enabling them to capture authentication credentials. It allows the attacker to intercept NetNTLMv2 handshakes for a relay attack or to retrieve clear-text FTP credentials. An existing SMB or FTP scan setup with access to the printer console or web interface with admin privileges to execute the attack.
- Pass-back attack via LDAP CVE-2024-12510 (CVSS score: 6.7): An attacker accessing the LDAP configuration page can modify the LDAP server’s IP address to a malicious system, causing the device to authenticate against their controlled host. By running a port listener, they can intercept clear-text LDAP credentials. This attack requires access to the MFP admin account and an existing LDAP configuration.
Why is it noteworthy?
These threats are particularly noteworthy because they allow attackers to intercept sensitive authentication credentials, potentially compromising network security. The vulnerabilities give attackers access to clear-text LDAP or FTP credentials, and in some cases, enable further attacks that could lead to additional network exploitation, posing a significant risk to organizations with vulnerable firmware.
What is the exposure or risk?
While specific conditions are required—such as the attacker needing an SMB or FTP scan function configured in the user’s address book, as well as physical access to the printer console or remote access via the web interface—there is an additional risk if user-level access to the remote-control console is enabled. In such cases, admin privileges may be required. The vulnerabilities could allow an attacker to extract the entire plaintext database in-band via an HTTP response using a specially crafted SQL injection payload.
What are the recommendations?
Barracuda recommends the following actions to protect your environment against this environment:
- Update to Service Pack 57.75.53, released late last month, for VersaLink C7020, C7025, and C7030 series printers.
- Set complex, non-default passwords for printer admin accounts to minimize the risk of unauthorized configuration changes.
- Limit access to the printer’s remote-control console. If administrative access is necessary, protect it with distinct credentials.
- Do not use Windows authentication accounts with elevated privileges in printer configurations. This reduces the potential impact of a breach by limiting what can be captured.
- Place printers on a separate VLAN or subnet. This segmentation helps prevent attackers from easily moving from a compromised printer to critical Windows servers.
- Conduct regular security audits, including printers. Monitoring for unexpected configuration changes can help identify and prevent potential attacks early.
References
For more in-depth information, please visit the following links:
- https://thehackernews.com/2025/02/new-xerox-printer-flaws-could-let.html
- https://www.techradar.com/pro/security/xerox-printer-security-risk-could-let-hackers-sneak-into-your-systems
- https://www.securityweek.com/xerox-versalink-printer-vulnerabilities-enable-lateral-movement/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
