Unpatched Epson Devices at Risk: CVE-2024-47295 Allows Easy Hijacking

by do son · November 11, 2024

A newly discovered security vulnerability, CVE-2024-47295, affecting multiple SEIKO EPSON products, could allow attackers to take control of devices with administrative privileges. This issue arises from an insecure initial password configuration in SEIKO EPSON’s Web Config software, which manages settings for networked devices like printers and scanners.

Web Config is a tool that enables users to manage SEIKO EPSON devices via a web browser. In affected models, when connected to the network without first configuring the Web Config settings, the device lacks an administrative password, allowing any user on the network to set a new password and take control of the device.

According to the vulnerability report, “If the administrator password on the affected product is left blank and the device is accessed via Web Config, it’s possible to setup an administrator password on the device..” Once an attacker gains administrative privileges, they could potentially alter device settings, disrupt operations, or even leverage the device as an entry point for broader network attacks.

Since there is currently no patch available for this vulnerability, SEIKO EPSON advises users to immediately set an administrative password upon installing and connecting the device to a network. The company’s Security Guidebook strongly recommends this step, emphasizing its importance in section 3 of the installation process. By configuring the Web Config settings and securing the device with a strong password, users can effectively block unauthorized access and mitigate the impact of this vulnerability.

While SEIKO EPSON has highlighted the workaround, users should remain vigilant with all networked devices. Unsecured IoT devices and peripheral equipment can serve as easy targets for cybercriminals. The CVSS score of 8.1 underscores the high risk associated with CVE-2024-47295, making it critical for users to apply best practices, such as:

Setting Strong, Unique Passwords: Use complex passwords during initial device setup and avoid default or easy-to-guess passwords.
Limiting Network Access: Restrict device access to trusted users and networks to minimize exposure.
Regular Monitoring: Periodically review device configurations and network traffic to spot unauthorized changes or suspicious activity.