Skip to main content

EPSON Web Config CVE-2026-58315

| EUVDEUVD-2026-42007 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-07 vultures@jpcert.or.jp GHSA-2m7v-q2j4-mr6f
5.1
CVSS 4.0 · Vendor: jpcert
Share

Severity by source

Vendor (jpcert) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-delivered CSRF requiring victim interaction (UI:R); no privileges for attacker (PR:N); only limited integrity impact with no scope change or confidentiality/availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (jpcert).

CVSS VectorVendor: jpcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 06:39 vuln.today

DescriptionCVE.org

Cross-site request forgery vulnerability exists in SEIKO EPSON Web Config. If a user views a malicious page while logged into Web Config, unintended operations may be performed.

AnalysisAI

Cross-site request forgery in SEIKO EPSON Web Config allows a remote, unauthenticated attacker to trigger unintended configuration changes on Epson network devices by luring an authenticated administrator into visiting a malicious web page. The vulnerability (CWE-352) requires no privileges on the attacker's side but depends on an active, authenticated Web Config session on the victim's browser. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker identifies Web Config endpoint IP
Delivery
Crafts malicious page with forged CSRF request
Exploit
Victim admin visits malicious page while authenticated
Execution
Browser auto-submits forged request with session credentials
Persist
Web Config processes request
Impact
Unintended device configuration change applied

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target user is actively authenticated to the SEIKO EPSON Web Config interface in their browser at the time of attack - unauthenticated sessions cannot be exploited. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium) is proportionate for a CSRF with limited integrity impact (VI:L) and no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a targeted phishing email containing a link to a malicious web page that includes hidden HTML forms or JavaScript making forged HTTP requests to the victim's local Epson Web Config endpoint. If a network administrator clicks the link while their browser holds an active Web Config session, the forged request is submitted with their credentials, silently altering printer or device configuration - such as changing scan-to-email destinations or modifying network settings - without the administrator's knowledge. …
Remediation Consult the Epson security notice at https://www.epson.jp/news/info/a-security202607.htm and the JVN advisory at https://jvn.jp/en/jp/JVN87285119/ to identify patched firmware versions for your specific Epson device model and apply the vendor-released update. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58315 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy