Full Report
Security vulnerabilities have been disclosed in Xerox VersaLink C7025 Multifunction printers (MFPs) that could allow attackers to capture authentication credentials via pass-back attacks via Lightweight Directory Access Protocol (LDAP) and SMB/FTP services. "This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP's configuration and cause the MFP
Analysis Summary
# Vulnerability: Xerox Printer Pass-Back Attacks Leading to Credential Capture
## CVE Details
- CVE ID: CVE-2024-12510, CVE-2024-12511
- CVSS Score: 6.7 (Medium) for CVE-2024-12510; 7.6 (High) for CVE-2024-12511
- CWE: Not specified, but related to improper authentication/configuration handling leading to credential leakage.
## Affected Systems
- Products: Xerox VersaLink C7020, C7025, and C7030 series multifunction printers (MFPs)
- Versions: Firmware versions 57.69.91 and earlier.
- Configurations:
- CVE-2024-12510 requires LDAP to be configured and used for authentication.
- CVE-2024-12511 requires an SMB or FTP scan function to be configured in the user's address book, and either physical access to the console or remote-control access via the web interface.
## Vulnerability Description
Two vulnerabilities allow an attacker to leverage a "pass-back style attack" to force the MFP device to send collected authentication credentials (specifically Windows Active Directory credentials) to a server controlled by the attacker.
1. **CVE-2024-12510 (LDAP Pass-back):** An attacker can alter the LDAP configuration to redirect authentication information submission to a rogue server.
2. **CVE-2024-12511 (SMB/FTP Pass-back):** An attacker can modify the configuration in the user address book to point SMB or FTP scan destinations to an attacker-controlled IP. When a scan is initiated using this configuration, the SMB/FTP authentication credentials used by the printer are captured by the attacker's host. Successful exploitation can lead to lateral movement within the network.
## Exploitation
- Status: Advisory implies the potential for exploitation, PoC details are not explicitly mentioned but the mechanism is well-defined ("pass-back attack").
- Complexity: Varies. CVE-2024-12510 requires access to the LDAP configuration page. CVE-2024-12511 requires physical access or web interface access (potentially requiring admin access unless specific user-level remote access is enabled).
- Attack Vector: Network (for configuration changes/triggering scans) and potentially Local (if physical access is required for console manipulation).
## Impact
- Confidentiality: High (Capture of Active Directory credentials).
- Integrity: Moderate (Potential for unauthorized system access via captured credentials).
- Availability: Low (No direct impact on system uptime mentioned).
## Remediation
### Patches
- Patches are available as part of **Service Pack 57.75.53** for VersaLink C7020, C7025, and C7030 series printers. Users must update to this version or later.
### Workarounds
- Set a complex password for the administrative account.
- Avoid using Windows authentication accounts that possess elevated privileges for printer configurations or scanning functions.
- Disable the remote-control console feature for unauthenticated users.
## Detection
- Detection methods are not explicitly detailed in the summary, but monitoring for unexpected configuration changes in LDAP settings or address book recipients (especially SMB/FTP destinations) on the MFP devices would be key indicators.
## References
- Vendor Advisory Link (Defanged): hxxps://www.rapid7.com/blog/post/2025/02/14/xerox-versalink-c7025-multifunction-printer-pass-back-attack-vulnerabilities-fixed/
- Patch Information Link (Defanged): hxxps://www.support.xerox.com/en-us/product/versalink-c7020-c7025-c7030/content/169633