Headline
Epson Expression Home XP255 20.08.FM10I8 Missing Authentication
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. By default, the device comes (and functions) without a password. The user is at no point prompted to set up a password on the device (leaving a number of devices without a password). In this case, anyone connecting to the web admin panel is capable of becoming admin without using any credentials.
[Suggested description]
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices.
By default, the device comes (and functions) without a password. The
user is at no point prompted to set up a password on the device
(leaving a number of devices without a password). In this case, anyone connecting to
the web admin panel is capable of becoming admin without using any
credentials.
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
Epson
[Affected Product Code Base]
Expression Home XP255 - 20.08.FM10I8
[Affected Component]
Web admin panel
[Attack Type]
Remote
[Impact Escalation of Privileges]
true
[Attack Vectors]
The attacker needs to have access to port 80/TCP (the webserver) of the device.
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation.
[Reference]
https://epson.com/Support/sl/s
Use CVE-2019-20458.