Vulnerabilities in Xerox VersaLink multifunction printers could allow attackers to retrieve authentication credentials via pass-back attacks targeting LDAP and SMB/FTP services, Rapid7 discovered.
Two security defects were identified in the all-in-one enterprise color printers, namely CVE-2024-12510 and CVE-2024-12511, and Xerox released security updates to address both.
In short, in a pass-back attack, the printer is directed to authenticate against a server controlled by the attacker, who then captures the authentication data sent by the device.
On a Versalink printer with the Lightweight Directory Access Protocol (LDAP) services configured for authentication, an attacker with access to the configuration page would need to modify the service’s IP address, and then trigger an LDAP lookup to authenticate against the attacker-controlled server.
“By running a port listener on a host that the malicious actor controls, they are then able to capture the clear text LDAP service credentials. This attack requires access to the MFP printer admin account, and LDAP services must have been configured for normal operation to a valid LDAP server,” Rapid7 explains.
To capture the SMB or FTP authentication credentials, the attacker would need access to the user address book configuration, where they need to modify the SMB or FTP server’s IP address to point to a server they control.
“This attack allows a malicious actor to capture NetNTLMV2 handshakes or leverage the vulnerability in an SMB relay attack against Active Directory file servers. In the case of FTP, the malicious actor would be able to capture clear text FTP authentication credentials,” Rapid7 says.
Such an attack can be mounted if an SMB or FTP scan function is configured in the user’s address book, and if the attacker either has physical access to the printer console or remote access via the web interface, which may require administrative credentials.
“If a malicious actor can successfully leverage these issues, it would allow them to capture credentials for Windows Active Directory. This means they could then move laterally within an organization’s environment and compromise other critical Windows servers and file systems,” Rapid7 notes.
The two issues were reported to Xerox in March 2024. Fixes for them were rolled out at the end of January 2025, in the form of service pack updates for the VersaLink C7020, 7025, and 7030 series multifunction printers.
Organizations are advised to update their VersaLink printers to firmware version 57.75.53 as soon as possible. To mitigate the flaws, they should use complex passwords for the administrative account, avoid using Windows authentication accounts with elevated privileges, and disable unauthenticated access to the remote-control console.
Related: In Other News: Google Flaw Exploited, 3D Printers Hacked, WhatsApp Gets NSO Spyware
Related: Canon Patches 7 Critical Vulnerabilities in Small Office Printers
Related: 200 Canon Printer Models May Expose Wi-Fi Connection Data
Related: Many Vulnerabilities Found in PrinterLogic Enterprise Software
