Command execution vulnerability in Epson WebConfig - Frequently Asked Questions

An administrator password is required to log in to WebConfig.

A malicious third party who obtains the administrator password can execute arbitrary commands by logging in to Web Config and entering a specific string on a specific screen.

The product settings could be reset or ping packets could be sent to other devices.

There are no reports of attacks exploiting this vulnerability until now.

We strongly recommend applying a fixed firmware or taking workaround to mitigate the impact of this vulnerability

- Apply fixed firmware:

For products that are currently on sale, we have released fixed firmware as listed below. Please download it from the Epson website and apply the update.

- Take workaround:

To ensure the security of your Epson product, we recommend end-users and their administrators to implement and maintain industry-standard security controls and practices in setting up and managing password and network to which the product is connected.

<Administrator Password>

✅ Please set a unique password for each product.

✅ The administrator password should be a complex string of characters that is difficult for others to guess, such as eight or more characters that contain not only English letters but also symbols and numbers.

<Internet Connection>

✅ Do not connect the product directly to the Internet; install it within a network protected by a firewall.

✅ Please set a private IP address for the product.

For more information on securing your Epson product, please refer “Security Guidelines”.

The security guidelines are available on the following website:

Laser Printers

Large Format Printers – Affected Products Action and Firmware LFP.pdf

POS Printers – Affected Products Action and Firmware POS.pdf