A vulnerability has been confirmed in some Epson printers, scanners, and network interface products in the software (Web Config) that allows you to check the product’s status or change its settings via a web browser.
With Web Config, you can check the product’s status or change its settings by entering the product’s IP address in the URL field of a web browser such as Edge or Safari. Web Config may be called Remote Manager on some products.
If the administrator password is not set (empty) on the affected product and you access the product via Web Config, it becomes possible to set the password, which may allow a malicious third party to take over the device and operate it remotely.
Epson did report that currently, there are no reports of attacks exploiting this vulnerability.
Affected devices are listed here: https://www.epson.jp/support/misc_t/240930_03_oshirase.htm
Epson recommends to not connect the product directly to the Internet. Install the product in a network protected by a firewall and in that case, set a private IP address and operate the product. The administrator password should be a complex string of characters that is difficult for others to guess, such as a combination of not only English letters but also symbols and numbers and be eight characters or more in length.
