CVE-2023-38556

Vulnerability

An improper input validation vulnerability (CWE-20) exists in the Web Config software pre-installed on certain SEIKO EPSON printers. Web Config is a web-based interface for checking status and changing settings. A remote attacker can send a specially crafted URL to the Web Config, causing the printer to turn off. Affected models include EP-801A, EP-802A, EP-901A, EP-901F, EP-902A, PA-TCU1, PM-T960, PM-T990, PX-201, PX-502A, PX-601F, and PX-602F [2]. No firmware update is planned; the vendor recommends workarounds [1].

Exploitation

An attacker with network access to the printer's Web Config interface can exploit this vulnerability without authentication or user interaction. The attacker crafts a specific URL and sends it to the Web Config endpoint. The improper input validation fails to sanitize the request, leading to the printer being turned off [1][2].

Impact

Successful exploitation results in a denial-of-service (DoS) condition: the printer is powered off, rendering it unavailable for printing or other functions. The CVSS v3 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity loss [1].

Mitigation

As of the publication date (2023-08-02), no firmware update is planned for the affected printers. The vendor strongly recommends applying workarounds, such as restricting network access to the Web Config interface (e.g., via firewall rules or disabling the feature if possible) [1][2]. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.