CVE-2025-22470
📋 TL;DR
This vulnerability allows attackers to upload malicious Lua script files to affected SATO CL4/6NX Plus printers and execute them with root privileges. It affects SATO CL4/6NX Plus and CL4/6NX-J Plus printers with firmware versions prior to 1.15.5-r1. Attackers can achieve complete system compromise through this file upload vulnerability.
💻 Affected Systems
- SATO CL4/6NX Plus
- SATO CL4/6NX-J Plus (Japan model)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root privileges, allowing installation of persistent backdoors, data exfiltration, lateral movement to other network devices, and disruption of printing operations.
Likely Case
Remote code execution leading to printer compromise, credential theft, network reconnaissance, and potential ransomware deployment on vulnerable printers.
If Mitigated
Limited impact if network segmentation isolates printers and file upload functionality is restricted through access controls.
🎯 Exploit Status
The vulnerability allows unauthenticated file upload leading to RCE, making exploitation straightforward for attackers with network access to the printer.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.15.5-r1
Vendor Advisory: https://www.sato-global.com/support_notices/240830/
Restart Required: Yes
Instructions:
1. Download firmware version 1.15.5-r1 from SATO support portal. 2. Access printer web interface. 3. Navigate to firmware update section. 4. Upload and apply the new firmware. 5. Reboot printer after update completes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate printers on separate VLANs with strict firewall rules limiting access to necessary ports only.
Disable Unnecessary Services
allDisable web interface if not required for operations, or restrict access to specific management IPs only.
🧯 If You Can't Patch
- Implement strict network access controls to limit printer access to authorized management systems only
- Monitor printer network traffic for unusual file upload attempts and Lua script execution patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version via printer web interface or serial console. If version is below 1.15.5-r1, the system is vulnerable.Check Version:
Access printer web interface at http://[printer-ip]/ and navigate to System Information or Settings page to view firmware version.Verify Fix Applied:
Confirm firmware version shows 1.15.5-r1 or higher in printer settings. Test file upload functionality to ensure malicious files are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload attempts to printer web interface
- Lua script execution in printer logs
- Multiple failed authentication attempts followed by successful file upload
Network Indicators:
- HTTP POST requests to printer upload endpoints with Lua file extensions
- Unusual outbound connections from printer to external IPs
- Traffic patterns indicating command and control communication
SIEM Query:
source="printer_logs" AND (event="file_upload" OR event="script_execution" OR file_extension=".lua")