Security vulnerabilities in our products

Forgot your password?

Please enter your username or email. We’ll send you an email with instructions on how to reset your password. If you have forgotten your username, did not receive the email to reset your password or need help, contact our support team.

A security vulnerability has been identified in Kyocera Document Solutions’ MFPs and printers.

Vulnerability description

Three vulnerabilities have been identified:

This vulnerability is subject to a situation where a third party can access the network.
Vulnerability problems will not occur unless the environment is accessed by a third party.

Vulnerability ID: JVN#46345126
https://jvn.jp/jp/JVN46345126/

1. Session Management Defects in Command Center Vulnerability (CVE-2022-41798）
A vulnerability that allows users to login without login authentication by forged cookies in an environment where the product is accessible through Command Center.

2. Inadequate Authentication of Command Center (CVE-2022-41807）
In an usage environment where the product is accessible via Command Center, if a client (a malicious attacker's personal computer) issues a request to a server (the product) to change device settings using the Common Gateway Interface (CGI), configuration changes can be made without logging in to Command Center.

3. Cross-site scripting vulnerability in Command Center (CVE-2022-41830）
In an usage environment where the product is accessible via Command Center, a vulnerability could allow an attacker to embed malicious JavaScript in a certificate by exploiting the ability to register, configure, and reference SSL/TLS certificates in the Command Center security settings. Therefore, when the equipment administrator logs in to the Command Center and references the SSL/TLS certificate, JavaScript is executed and the equipment administrator can be victimized.

Please contact your services provider to apply the firmware that addresses the security vulnerability.

Until the firmware is applied, please take the following workaround measures.

Workaround

Workaround 1

To reduce the risk of information leakage and unauthorized use due to unauthorized access from outside, please use the multifunction copiers in an environment protected by a firewall or other means when connecting them to the Internet. This will block unauthorized access from outside via the Internet.

Workaround 2

It is recommended that the IP address of the multifunction copiers/printers be operated with a private IP address* set. If a global IP address is set, the risk of information leakage due to unauthorized access from outside increases.

We will update the contents of this page as necessary in the event of any changes.

In addition, we are developing and marketing successors and new products with more advanced security functions. Please consider the successor products and new products for the safe protection of your information assets.

Products affected by this vulnerability

For information on how this vulnerability affects products developed, manufactured, and sold by Kyocera Document Solutions, please contact your local distributor where you purchased the product.