CVE-2018-20768
📋 TL;DR
This vulnerability allows attackers to execute arbitrary PHP code on affected Xerox multifunction printers by exploiting a writable file. Attackers can achieve remote code execution with high privileges, potentially taking full control of the device. All listed Xerox WorkCentre and ConnectKey devices running vulnerable firmware versions are affected.
💻 Affected Systems
- Xerox WorkCentre 3655
- Xerox WorkCentre 3655i
- Xerox WorkCentre 58XX
- Xerox WorkCentre 58XXi
- Xerox WorkCentre 59XX
- Xerox WorkCentre 59XXi
- Xerox WorkCentre 6655
- Xerox WorkCentre 6655i
- Xerox WorkCentre 72XX
- Xerox WorkCentre 72XXi
- Xerox WorkCentre 78XX
- Xerox WorkCentre 78XXi
- Xerox WorkCentre 7970
- Xerox WorkCentre 7970i
- Xerox ConnectKey EC7836
- Xerox ConnectKey EC7856
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the printer device, allowing attackers to steal scanned documents, intercept print jobs, pivot to internal networks, install persistent malware, or use the device as a foothold for further attacks.
Likely Case
Remote code execution leading to data exfiltration, device takeover for malicious activities like cryptomining, or disruption of printing services.
If Mitigated
Limited impact if devices are isolated from internet, have strict network controls, and are monitored for suspicious activity.
🎯 Exploit Status
The vulnerability allows PHP code execution through a writable file, which typically requires minimal technical skill to exploit once the attack vector is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R18-05 073.xxx.0487.15000 or later
Vendor Advisory: https://securitydocs.business.xerox.com/wp-content/uploads/2018/07/cert_Security_Mini_Bulletin_XRX18Y_for_ConnectKey_EC78xx_v1.0.pdf
Restart Required: Yes
Instructions:
1. Download the firmware update from Xerox support portal. 2. Upload the firmware file through the printer's web interface. 3. Apply the update and restart the device. 4. Verify the firmware version after restart.
🔧 Temporary Workarounds
Network segmentation
allIsolate printers from untrusted networks and restrict access to necessary services only.
Disable unnecessary services
allTurn off web interface, FTP, or other services not required for operation.
🧯 If You Can't Patch
- Segment printers on isolated VLANs with strict firewall rules
- Implement network monitoring for suspicious traffic to/from printers
🔍 How to Verify
Check if Vulnerable:
Access printer web interface, navigate to Settings > Properties > About, check firmware version.Check Version:
Not applicable - use web interface or device displayVerify Fix Applied:
Verify firmware version is R18-05 073.xxx.0487.15000 or later in the About section.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in PHP directories
- Unexpected PHP process execution
- Unauthorized configuration changes
Network Indicators:
- Unusual HTTP POST requests to printer web interface
- Suspicious file uploads to printer services
- Unexpected outbound connections from printer
SIEM Query:
source="printer_logs" AND (event="file_write" OR event="php_execution")