CVE-2021-28671
📋 TL;DR
This CVE describes a remote command execution vulnerability in Xerox multifunction printers' web interface. Attackers can execute arbitrary commands on affected devices using a weaponized clone file. All listed Xerox printer models with vulnerable firmware versions are affected.
💻 Affected Systems
- Xerox Phaser 6510
- WorkCentre 6515
- VersaLink B400
- VersaLink B405
- VersaLink B600/B610
- VersaLink B605/B615
- VersaLink B7025/30/35
- VersaLink C400
- VersaLink C405
- VersaLink C500/C600
- VersaLink C505/C605
- VersaLink C7000
- VersaLink C7020/25/30
- VersaLink C8000/C9000
- VersaLink C8000W
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attackers to install persistent malware, steal sensitive documents, pivot to internal networks, or use devices as part of botnets.
Likely Case
Data exfiltration from scanned documents, device disruption, or use as internal network foothold for further attacks.
If Mitigated
Limited impact if devices are isolated, web interface disabled, and network access restricted.
🎯 Exploit Status
Vendor advisory mentions 'weaponized clone file' indicating known exploitation methods exist. No authentication required for web interface exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Bridge firmware versions: Phaser 6510 64.65.51/64.59.11, WorkCentre 6515 65.65.51/65.59.11, VersaLink B400 37.65.51/37.59.01, etc. (see advisory for complete list)
Vendor Advisory: https://securitydocs.business.xerox.com/wp-content/uploads/2021/03/cert_Security_Mini_Bulletin_XRX21D_for_PH6510_WC6515_VersaLink-1.pdf
Restart Required: Yes
Instructions:
1. Download firmware update from Xerox support portal. 2. Upload firmware via printer web interface. 3. Apply update. 4. Reboot printer. 5. Verify firmware version.
🔧 Temporary Workarounds
Disable Web Interface
allDisable the web user interface to prevent remote exploitation.
Access printer settings > Network/Protocols > HTTP/HTTPS > Disable
Network Segmentation
allIsolate printers on separate VLAN with restricted access.
🧯 If You Can't Patch
- Disable web interface completely
- Implement strict network ACLs to allow only necessary IPs to access printer management interface
🔍 How to Verify
Check if Vulnerable:
Check firmware version via printer web interface: Settings > Device Information > Firmware VersionCheck Version:
Navigate to printer IP in browser and check firmware version in device information pageVerify Fix Applied:
Verify firmware version matches or exceeds patched versions listed in advisory📡 Detection & Monitoring
Log Indicators:
- Unusual web interface access patterns
- Unexpected firmware modification attempts
- Suspicious command execution in system logs
Network Indicators:
- Unusual outbound connections from printers
- HTTP requests to printer web interface from unexpected sources
- Traffic patterns suggesting exploitation
SIEM Query:
source="printer_logs" AND (event="firmware_update" OR event="web_interface_access" OR event="command_execution")