Login Sign Up

CVE-2013-6362

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

Xerox ColorCube and WorkCenter devices from 2013 contained hardcoded FTP and shell user accounts with known credentials. This allows attackers to gain unauthorized access to these devices, potentially compromising the entire network. Organizations using affected Xerox multifunction printers are vulnerable.

💻 Affected Systems

Products:
  • Xerox ColorCube
  • Xerox WorkCenter
Versions: 2013 models and firmware versions
Operating Systems: Embedded printer OS
Default Config Vulnerable: ⚠️ Yes
Notes: All devices with default configurations are vulnerable. The hardcoded accounts cannot be removed or disabled without firmware updates.

📦 What is this software?

Colorqube 9201 Firmware by Xerox

View all CVEs affecting Colorqube 9201 Firmware →

Colorqube 9202 Firmware by Xerox

View all CVEs affecting Colorqube 9202 Firmware →

Colorqube 9203 Firmware by Xerox

View all CVEs affecting Colorqube 9203 Firmware →

Workcentre 6400 Firmware by Xerox

View all CVEs affecting Workcentre 6400 Firmware →

Workcentre 7525 Firmware by Xerox

View all CVEs affecting Workcentre 7525 Firmware →

Workcentre 7530 Firmware by Xerox

View all CVEs affecting Workcentre 7530 Firmware →

Workcentre 7535 Firmware by Xerox

View all CVEs affecting Workcentre 7535 Firmware →

Workcentre 7545 Firmware by Xerox

View all CVEs affecting Workcentre 7545 Firmware →

Workcentre 7556 Firmware by Xerox

View all CVEs affecting Workcentre 7556 Firmware →

Workcentre 7755 Firmware by Xerox

View all CVEs affecting Workcentre 7755 Firmware →

Workcentre 7765 Firmware by Xerox

View all CVEs affecting Workcentre 7765 Firmware →

Workcentre 7775 Firmware by Xerox

View all CVEs affecting Workcentre 7775 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to data exfiltration, lateral movement into corporate networks, installation of persistent malware, and use as attack launch points.

🟠

Likely Case

Unauthorized access to device configuration, document interception, credential harvesting, and potential foothold for further network attacks.

🟢

If Mitigated

Limited to device compromise only if network segmentation prevents lateral movement and monitoring detects unauthorized access attempts.

🌐 Internet-Facing: HIGH - Devices exposed to internet can be directly attacked using known credentials without authentication.
🏢 Internal Only: HIGH - Internal attackers or malware can exploit these credentials to gain device access and potentially move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attackers only need to know the hardcoded credentials which have been publicly documented. No special tools or skills required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware updates from Xerox that remove hardcoded accounts

Vendor Advisory: https://www.xerox.com/support/security/advisory

Restart Required: Yes

Instructions:

1. Check Xerox security advisory for affected models. 2. Download latest firmware from Xerox support portal. 3. Upload firmware to device via web interface. 4. Reboot device after installation.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate printer devices on separate VLAN with strict firewall rules preventing outbound connections

Access Control Lists

all

Implement IP-based restrictions to only allow management from authorized administrative networks

🧯 If You Can't Patch

  • Remove affected devices from network or place behind strict firewall with no internet access
  • Implement continuous monitoring for FTP and SSH connections to printer devices

🔍 How to Verify

Check if Vulnerable:

Attempt FTP or SSH connection to device using documented hardcoded credentials from security advisories

Check Version:

Check device web interface under Settings > System > About or use SNMP query

Verify Fix Applied:

Verify firmware version matches patched version from Xerox advisory and test that hardcoded credentials no longer work

📡 Detection & Monitoring

Log Indicators:

  • Failed authentication attempts followed by successful login
  • FTP or SSH connections from unexpected IP addresses
  • Configuration changes outside maintenance windows

Network Indicators:

  • FTP/SSH traffic to printer devices from non-admin networks
  • Unexpected outbound connections from printer devices

SIEM Query:

source_ip IN (printer_ips) AND (protocol='ftp' OR protocol='ssh') AND NOT source_ip IN (admin_networks)

📊 Metadata

CVE ID: CVE-2013-6362
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-798
Published: February 13, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2013-6362, you might also want to check these:

CVE-2025-20188 10.0

This critical vulnerability in Cisco IOS XE Wireless LAN Controllers allows unauthenticated remote a...

Same vulnerability type (CWE-798)
CVE-2026-22769 10.0

Dell RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1 contain hardcoded credentials tha...

Same vulnerability type (CWE-798)
CVE-2021-0248 10.0

This vulnerability involves hard-coded credentials in Juniper Junos OS on NFX Series devices, allowi...

Same vulnerability type (CWE-798)