A widely used Xerox business printer, designed for small to midrange applications, has been found to contain two vulnerabilities in its firmware that have now been patched. These vulnerabilities could have allowed attackers to gain full access to an organization’s Windows environment.

The vulnerabilities, which have been addressed, affect firmware version 57.69.91 and earlier in the Xerox VersaLink C7025 multifunction printers (MFPs). Both flaws enable a type of attack known as pass-back attacks, allowing a malicious actor to capture user credentials by manipulating the MFPs’ configuration.

Complete Access to Windows Environments

Researchers at Rapid7, who discovered the flaws, note that a malicious actor who successfully exploits the Xerox printer vulnerabilities could capture credentials for Windows Active Directory. According to Deral Heiland, principal security researcher, IoT, for Rapid7, this means they could then move laterally within an organization’s environment and compromise other critical Windows servers and file systems, as outlined in a recent blog post.

The Xerox VersaLink C7025 is described as a multifunction printer featuring ConnectKey, a Xerox technology that allows customers to interact with the printers over the cloud and via mobile devices. This technology includes security features designed to prevent attacks, detect potentially malicious changes to the printer, and protect against unauthorized transmission of critical data. The VersaLink family of printers is positioned as ideal for small and medium-sized workgroups that print around 7,000 pages per month.

The two vulnerabilities discovered by Rapid7 and since fixed by Xerox are CVE-2024-12510 (CVSS score: 6.7), an LDAP pass-back vulnerability, and CVE-2024-12511 (CVSS score: 7.6), an SMB/FTP pass-back vulnerability.

These vulnerabilities allow an attacker to alter the MFP’s configuration, causing the printer to send a user’s authentication credentials to an attacker-controlled system. This attack would be successful if a vulnerable Xerox VersaLink C7025 printer is configured for LDAP and/or SMB services.

In the case of CVE-2024-12510, an attacker could access the MFP’s LDAP configuration page and change the LDAP server IP address to point to their own malicious LDAP server. When the printer attempts to authenticate users, it connects to the attacker’s fake LDAP server, potentially allowing the attacker to capture clear text LDAP service credentials.

CVE-2024-12511 enables similar credential capture when the SMB or FTP scan function is enabled on a vulnerable Xerox VersaLink C7025 printer. An attacker with admin-level access can modify the SMB or FTP server’s IP address to capture SMB or FTP authentication credentials.

To discover a vulnerable printer, an attacker would need to connect to an affected Xerox MFP device through a Web browser, validate that the default password is still enabled, and ensure the device is configured for LDAP and/or SMB services. Heiland notes that it is often possible to query an MFP via SNMP and identify if LDAP services are enabled and configured.

The risk for organizations is significant, as gaining any level of access to a business network could allow a malicious actor to use the pass-back attack to harvest Active Directory credentials without detection. This could then enable them to pivot to more critical Windows systems within the compromised environment. Heiland warns that it’s not uncommon to find LDAP settings on MFP devices containing Domain Admin credentials, which could give a bad actor complete control of an organization’s Windows environment.

A successful attack would give a malicious actor access to Windows file services, domain information, email accounts, and database systems. If a Domain Admin account or an account with elevated privileges was used for LDAP or SMB, the attacker would have unfettered access to potentially everything within the organization’s Windows environment.

An Ideal Scenario for Threat Actors

Jim Routh, chief trust officer at Saviynt, notes that an attacker would need relatively sophisticated technical skills to exploit these kinds of vulnerabilities. However, for those who can, the LDAP vulnerability enables access to Windows Active Directory, where all administrator profiles and credentials reside. “It’s the ideal scenario for the threat actor,” he notes, as every device connected to the Internet has configuration options that offer an attack surface for cybercriminals.

Xerox has released a patched version of the affected Xerox VersaLink MFP firmware, enabling customer organizations to update and fix the issues. For those unable to immediately patch, Rapid7 recommends setting a complex password for the admin account, avoiding the use of Windows authentication accounts with elevated privileges for LDAP or scan-to-file SMB services, and avoiding enabling the remote-control console for unauthenticated users.

Printer vulnerabilities pose a growing problem for many organizations due to the rise in remote and hybrid work models. A 2024 study by Quocirca found that 67% of organizations had experienced a security incident tied to a printer vulnerability, up from 61% the prior year. Despite this trend, many organizations continue to underestimate printer-related threats, making it a soft spot for attackers to target.