Kyocera Device Manager, a management tool for Kyocera printers and multifunction devices, was found to have a vulnerability (CVE-2023-50916) allowing attackers to manipulate paths and potentially capture credentials. Trustwave discovered an input validation flaw in a function related to setting database backup locations, enabling attackers to submit a network path under their control. Exploiting this, an attacker could capture Active Directory hashed credentials by manipulating the request, potentially leading to unauthorized access to accounts or devices. Kyocera addressed the issue in version 3.1.1213.0 by implementing a fix to ignore invalid paths and apply the original valid path instead. Organizations are urged to update promptly to mitigate the risk of credential theft and unauthorized access to accounts or Kyocera devices.
Read more: https://www.securityweek.com/kyocera-device-manager-vulnerability-exposes-enterprise-credentials/