CVE-2024-47295: Insecure Initial Password Configuration in SEIKO EPSON Web Config

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID: JVN#95133448 2. Vulnerability Name: Insecure initial password configuration issue in SEIKO EPSON Web Config 3. Affected Product: Web Config 4. Description: - Web Config is software that allows users to check and modify the status and settings of SEIKO EPSON products (such as printers and scanners). - During initial setup, no administrator password is set. When a user first connects to the device and configures Web Config settings, they are prompted to set a password. - If the product is connected to a network without configuring Web Config settings, an arbitrary password may be set, and the device may be operated by an attacker with administrator privileges. 5. Impact: - If the product is connected to a network without configuring Web Config settings, an arbitrary password may be set, and the device may be operated by an attacker with administrator privileges. 6. Solution: - Workaround: Set an administrator password. - In Section 3 of the developer’s Security Guidelines, it is strongly recommended to set an administrator password during product installation. 7. References: - SEIKO EPSON CORPORATION’s Vulnerability in Web Config for Printers, Scanners, and Network Interface Products - Security Guidelines 8. CVSS v3 Score: 8.1 9. Comments: - The attack scenario assumes the target device is connected to the network without configuring Web Config. - Attack Complexity (AC) is assessed as High (H) according to CVSS 3.0 specifications. 10. Credits: - George Puckett reported this vulnerability to CERT/CC. - At the request of CERT/CC, JPCERT/CC coordinated with the developer. 11. Additional Information: - JPCERT Alert - JPCERT Report - CERT Advisory - CPNI Advisory - TRnotes - CVE: CVE-2024-47295 - JVN iPedia This information provides a detailed description of the vulnerability, its impact, mitigation steps, and relevant references.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-47295: Insecure Initial Password Configuration in SEIKO EPSON Web Config