Authentication Bypass on Zebra ZTC

Vulnerability

An authentication bypass vulnerability (CWE-288) exists in the Zebra Technologies ZT410-203dpi ZPL printer. An attacker on the same network can change the username and password for the printer's web page by sending a specially crafted POST request to the setvarsResults.cgi file. The vulnerability is exploitable only when the printer's protected mode is disabled. The affected printer model is the ZT410-203dpi, which was discontinued on October 1, 2020 [1].

Exploitation

The attacker must be on the same network as the printer (adjacent network) and requires no authentication or user interaction. With protected mode disabled, the attacker sends a crafted POST request to the setvarsResults.cgi endpoint, altering the credentials used for web interface access. The CVSS vector string indicates a low attack complexity and no privileges required [1].

Impact

Successful exploitation allows the attacker to change the printer's web page username and password, leading to unauthorized access to the printer's configuration interface. This results in low confidentiality and integrity impacts, but no availability impact as per CVSS v3.1 score of 5.4 (AV:A/PR:N/UI:N/S:U/C:L/I:L/A:N) [1].

Mitigation

Zebra Printers running Link-OS v6.0 and later include a protected mode that, when activated, prevents unauthorized changes and locks the current configuration until an administrator authorizes updates. Protected mode is disabled by default; administrators must generate a password first to enable it. The ZT410 industrial printer was discontinued on October 1, 2020, with service and support discontinuation dates in September and December 2025 depending on region. No patch is available; the mitigation is to enable protected mode as described in the vendor guidance [1].