CVE-2023-50916 – Kyocera Device Manager before version 3.1.1213.... (How to Fix)

Q: What is the severity of CVE-2023-50916?

CVE-2023-50916 has a CVSS score of 7.2 (HIGH). Kyocera Device Manager before version 3.1.1213.0 contains a path traversal vulnerability that allows attackers to force the application to authenticate to attacker-controlled UNC paths using NTLM credentials. This affects administrators who can configure backup locations, potentially exposing Windows authentication hashes to credential relaying or cracking attacks.

📋 TL;DR

Kyocera Device Manager before version 3.1.1213.0 contains a path traversal vulnerability that allows attackers to force the application to authenticate to attacker-controlled UNC paths using NTLM credentials. This affects administrators who can configure backup locations, potentially exposing Windows authentication hashes to credential relaying or cracking attacks.

💻 Affected Systems

Products:

Kyocera Device Manager

Versions: All versions before 3.1.1213.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to the Kyocera Device Manager interface or ability to intercept/modify requests.

📦 What is this software?

Device Manager by Kyocera

View all CVEs affecting Device Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers capture NTLM hashes from domain administrators, relay them to other systems, and gain full domain compromise through lateral movement and privilege escalation.

🟠

Likely Case

Attackers capture NTLM hashes from service accounts or regular users, enabling lateral movement within the network and potential data exfiltration.

🟢

If Mitigated

With proper network segmentation and NTLM restrictions, attackers can only capture hashes but cannot relay them to valuable targets.

🌐 Internet-Facing: LOW - This requires access to the Kyocera Device Manager interface, which is typically internal.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this to capture credentials and move laterally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires intercepting/modifying HTTP requests or direct API access. The technique of forcing NTLM authentication via UNC paths is well-known and tools exist for credential relaying.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.1213.0

Vendor Advisory: https://www.kyoceradocumentsolutions.us/en/about-us/pr-and-award-certifications/press/kyocera-device-manager-cve-2023-50196-vulnerability-solution-update.html

Restart Required: Yes

Instructions:

1. Download Kyocera Device Manager version 3.1.1213.0 or later from Kyocera's official website. 2. Run the installer as administrator. 3. Follow the installation wizard. 4. Restart the system after installation completes.

🔧 Temporary Workarounds

Restrict UNC Path Access

windows

Configure Windows firewall or network policies to block outbound SMB connections from the Kyocera Device Manager server to untrusted networks.

New-NetFirewallRule -DisplayName "Block Kyocera UNC Outbound" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block -Program "C:\Program Files\Kyocera\Device Manager\KyoceraDeviceManager.exe"

Disable NTLM Authentication

windows

Configure Windows to use Kerberos only or restrict NTLM usage through Group Policy.

gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all

🧯 If You Can't Patch

Segment the Kyocera Device Manager server on an isolated network VLAN with no access to other critical systems.
Implement strict outbound firewall rules blocking SMB (port 445) and NetBIOS (ports 137-139) traffic from the affected server to all but necessary backup locations.

🔍 How to Verify

Check if Vulnerable:

Check Kyocera Device Manager version in Help -> About. If version is below 3.1.1213.0, the system is vulnerable.

Check Version:

Check 'Help -> About' in Kyocera Device Manager GUI or examine installed programs in Control Panel.

Verify Fix Applied:

Verify version is 3.1.1213.0 or higher in Help -> About. Test that UNC paths cannot be set in backup location configuration.

📡 Detection & Monitoring

Log Indicators:

Windows Security event logs showing NTLM authentication attempts from the Kyocera Device Manager service account to unexpected UNC paths
Application logs showing backup location changes to UNC paths

Network Indicators:

SMB traffic (port 445) from the Kyocera Device Manager server to unexpected IP addresses
NetBIOS name resolution requests for suspicious hostnames

SIEM Query:

source="Windows Security" EventCode=4624 AuthenticationPackage=NTLM ProcessName="*KyoceraDeviceManager*" OR source="Kyocera Device Manager" message="*UNC*" OR "*\\\\*"

📊 Metadata

CVE ID: CVE-2023-50916

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: January 10, 2024

Last Updated: June 3, 2025

🔗 References

https://www.kyoceradocumentsolutions.us/en/about-us/pr-and-award-certifications/press/kyocera-device-manager-cve-2023-50196-vulnerability-solution-update.html Vendor Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/ Third Party Advisory
https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-001_kyocera-v2.txt Exploit,Third Party Advisory
https://www.kyoceradocumentsolutions.us/en/about-us/pr-and-award-certifications/press/kyocera-device-manager-cve-2023-50196-vulnerability-solution-update.html Vendor Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/ Third Party Advisory
https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-001_kyocera-v2.txt Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50916, you might also want to check these: