CISO Brief · Banking

Five MFP CVEs Every Bank CISO Should Know in 2026

If you sit in a CISO chair at a community or regional bank, the next time someone on your team asks why you would prioritize multifunction printer security, this is the post to send them. Five CVEs, all active in 2026, all directly relevant to financial-institution branch and back-office networks.

Author: Karl Falk, CEO, Botdoc
Published:
Reading time: ~10 min

The list below is not exhaustive. It is the back-pocket reference, the five things that come up most often in the trace work our channel partners run on bank fleets. If your audit firm or pen tester is starting to ask about MFP scope in 2026 engagements, these are the CVEs they will reference.

CVE-2024-12510, Xerox VersaLink credential pass-back (scan-to-email)

CVSS 7.5 High Disclosed Jan 2025 Active exploitation Q1 2026

Affects Xerox VersaLink C7000, C8000, and C9000 series. Some WorkCentre 5000 series. Patches available; deployment lag is real on community-bank fleets.

The attack works in five steps. An attacker on the same network segment as the MFP, or with a compromised endpoint anywhere on the corporate network, spoofs the SMTP relay the MFP is configured to use. The MFP attempts to relay a scan-to-email job. The spoofed relay returns an error. The MFP re-authenticates using its stored cleartext SMTP AUTH PLAIN credentials. The attacker captures the credentials in the spoofed relay's transaction log.

The captured credential is typically a domain service account. In a financial-institution branch network, that account often has permissions to file shares (the same account is used for scan-to-folder), LDAP queries (the same account populates the MFP's address book), and printer-driver management (the same account installs and configures drivers across the fleet). A single MFP compromise can yield credentials that work across hundreds of devices.

What to verify on your fleet. Does your VersaLink fleet have the latest firmware? Is SMTP configured for AUTH PLAIN, or for stronger mechanisms (AUTH LOGIN over TLS, AUTH CRAM-MD5)? Are the SMTP service-account permissions scoped to the minimum needed for relay, or do they overlap with file-share and LDAP permissions?

CVE-2024-12511, Xerox VersaLink credential pass-back (scan-to-folder SMB)

CVSS 7.5 High Disclosed Jan 2025 Companion to 12510

Same attack class executed through scan-to-folder rather than scan-to-email. The attacker modifies the MFP's user address book or scan-to-folder destination configuration to point the SMB target to a host the attacker controls. The MFP authenticates to the spoofed SMB host using its stored credentials. The handshake is NetNTLMv2. The attacker captures the hash and either cracks it offline or relays it to a domain controller using tools like Impacket's ntlmrelayx.

In a financial branch network, the SMB credentials stored on the MFP are typically a domain user with broader permissions than the SMTP service account. The captured hash often gives the attacker access to file shares containing customer-document scans, audit-trail records, and operational documents.

What to verify. Same firmware version as CVE-2024-12510. Is SMB v1 still enabled on the MFP? (It often is, for legacy compatibility.) Is the scan-to-folder service account a low-privilege account scoped only to the scan-target share, or is it a domain user with broader access?

CVE-2023-27350, PaperCut MF/NG unauthenticated RCE

CVSS 9.8 Critical CISA AA23-131A FBI-confirmed exploitation

Affects PaperCut MF and NG before version 20.1.3. PaperCut is the print-management software in roughly 30 to 40 percent of Fortune 500 organizations and a similar share of mid-sized banks.

The vulnerability is unauthenticated. An attacker with HTTP access to the PaperCut management interface (often exposed on the internal corporate network) sends a crafted request to the API and achieves remote code execution on the PaperCut server. From the PaperCut server, the attacker can modify print queues across the entire managed fleet, capture printer-job metadata (which often contains user names, document titles, and timestamps), pivot to the underlying Windows or Linux server hosting PaperCut, and access the Active Directory service account PaperCut uses for authentication.

The blast radius from a single PaperCut compromise can extend to the entire institution's print and scan infrastructure plus a beachhead in the Windows domain.

What to verify. Is your PaperCut version 20.1.3 or later? Is the PaperCut management interface accessible only from a restricted administrative network segment? Is the PaperCut service account in Active Directory scoped to the minimum needed for printer management?

CVE-2024-51978, Brother and four-vendor coordinated disclosure

CVSS 9.8 Critical Disclosed June 2025 748 device models Unpatchable in legacy

This is the most operationally awkward CVE on the list. The vulnerability allows unauthenticated attackers to derive default administrator passwords for affected devices. Affected: 748 device models across Brother, Ricoh, Konica Minolta, Fujifilm Business Innovation, and Toshiba Tec. The derivation algorithm is documented in the disclosure. The fix requires a firmware update that the legacy devices cannot accept.

For financial institutions operating heterogeneous MFP fleets that include any of the 748 affected models, the practical answer is mitigation rather than remediation. The mitigations are network segmentation (move affected devices to a restricted VLAN with no inbound access from the general corporate network), administrative account rotation (change default passwords manually and frequently), and device replacement on the next refresh cycle.

The June 2025 disclosure also included CVE-2025-6081, a pass-back attack on Konica Minolta bizhub 227, which was disclosed as not fixed at the time of publication.

What to verify. What MFP models are in your fleet? Cross-reference against the 748-model list. What is the network segmentation status of any matching devices? When is the next fleet refresh planned?

CVE-2018-5924 and CVE-2018-5925, Faxploit

CVSS 7.5 Black Hat USA 2018 Check Point Research Passive attack

Affects HP, Xerox, and other MFPs with fax capability. Specifically affects fax image-parsing code that processes inbound TIFF transmissions. Patches available, but fax functionality remains in heavy use in financial workflows (mortgage applications, escrow instructions, ACH authorizations, insurance claims).

Faxploit is a passive attack. The attacker sends a specially crafted fax transmission with a malformed TIFF header. The MFP's fax-image-parsing code experiences memory corruption, leading to code execution on the device. No user interaction is required. The MFP is compromised the moment the fax arrives.

In a financial institution context, this matters for two reasons. First, fax inbound is often less monitored than email or web traffic. Anomalous fax transmissions do not trigger the same alerting that anomalous email attachments do. Second, the MFP-as-pivot-point is real. Once compromised via fax, the device can be used for the captive-portal AD credential theft pattern (LARES Labs, NCC Group, Trustwave SpiderLabs research) or as a launchpad for the credential pass-back attacks above.

What to verify. Is the fax-firmware patch level current on your fleet? Are inbound fax transmissions logged with the same scrutiny as inbound email? Are MFPs with fax capability on the same network segment as endpoint workstations?

How to use this list

Three concrete actions for the CISO chair.

First, run the trace template. SecureMFP provides a free trace template that captures the configuration state on three devices in your fleet. The template runs locally; no data leaves your network. It produces a per-device readout (SMTP authentication mode, encryption status, credential storage in configuration backup, address-book LDAP query mode) and a fleet-wide summary. Total runtime under an hour. Get the template at the CISO brief.

Second, add the CVE list to your next pen-test or audit-firm engagement scope. Pen testers and SOC 2 auditors are starting to scope MFP scan-to-email as a discrete add-on in 2026 engagements. Reference NIST SP 800-115 (penetration testing guidance) and NIST SP 1800-29 (the April 2024 publication that explicitly named printers and MFPs as IoT-adjacent devices) to anchor the scope justification. Your audit firm may have an internal methodology already; if not, our auditor page has the methodology and the control-language draft.

Third, register MFP scan-to-email as a discrete control in your WISP. This is the structural fix. The control belongs in your written information security program with documented credentials, key management, audit logs, and 30-day breach-detection capability. We supply the control-language draft and the testing approach.

The five CVEs above are the immediate technical surface. The structural improvement is the WISP control. Both close together.

Next step

Get the trace template

The CVE shortlist is the immediate technical surface. The trace template runs on three devices in your fleet in under an hour and shows you which CVEs apply to your specific configuration.

Get the Audit Gap Handler