Skip to main content

Command Center RX EUVDEUVD-2025-210448

| CVE-2025-63579 HIGH
Information Exposure (CWE-200)
2026-07-09 cve@mitre.org GHSA-48px-5hxr-345p
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable web interface, no auth or user interaction (PR:N/UI:N), low complexity; impact is confidentiality-only via credential/address-book disclosure (C:H, I:N, A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 21:43 vuln.today
CVSS changed
Jul 09, 2026 - 20:22 NVD
7.5 (HIGH)
CVE Published
Jul 09, 2026 - 19:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Unauthorized use of Kyocera printers, allows all information stored in the Kyocera address book to be exported. The security measure that encrypts incoming data ian be bypassed with this vulnerability, allowing encrypted data to be decrypted. Passwords and other sensitive information can be obtained. This affects Kyocera Command Center RX TASKalfa 2552ci, TASKalfa 3252ci, TASKalfa 2553ci, TASKalfa 3253ci, TASKalfa 3554ci, TASKalfa 4052ci, TASKalfa 5052ci, TASKalfa 6052ci, TASKalfa 7052ci, TASKalfa 8052ci, TASKalfa 7353ci, TASKalfa 8353ci, TASKalfa 2554ci, TASKalfa 3254ci, TASKalfa 505.

AnalysisAI

Sensitive information disclosure in Kyocera Command Center RX, the embedded web management interface of numerous TASKalfa multifunction printers, allows remote attackers to export the entire device address book without authorization. Because the vulnerability also bypasses the encryption protecting incoming data, encrypted content can be decrypted to reveal stored passwords and other confidential data. Publicly available exploit code exists (GitHub PoC), though there is no evidence of active exploitation in CISA KEV; SSVC rates the flaw as automatable with partial technical impact.

Technical ContextAI

Command Center RX (CCRX) is Kyocera's web-based device configuration and monitoring interface embedded in TASKalfa series color MFPs (multifunction printers). The affected functionality is the on-device address book, which stores contacts along with credentials (e.g., SMB/FTP scan-to-folder, SMTP, and LDAP account passwords) used for scan-to-destination workflows. The root cause maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): an authorization gap lets an unauthorized actor invoke the address-book export, and a weakness in the input-encryption security measure permits protected data to be decrypted, defeating the confidentiality control meant to safeguard stored secrets.

RemediationAI

No vendor-released patch or fixed firmware version is identified at time of analysis - the only Kyocera reference provided is the general corporate site (https://global.kyocera.com/), with no model-specific advisory or firmware build number. Contact Kyocera support and check for firmware updates for each affected TASKalfa model, and apply the first firmware that references CVE-2025-63579/EUVD-2025-210448 once published. As compensating controls until a patch is confirmed: remove the printers' Command Center RX interface from internet or untrusted-network exposure and restrict management access to a dedicated admin VLAN or ACL (side effect: remote administration must occur from that segment); disable or block the address-book export and network scan-to-destination features if not required (side effect: loss of scan-to-folder/email convenience); and most importantly rotate any credentials stored in address-book entries (SMB, FTP, SMTP, LDAP) since they may already be exposed, scoping those accounts to least privilege so a leaked credential yields minimal lateral movement. Reference PoC for detection/testing: https://github.com/barisbaydur/CVE-2025-63579.

Share

EUVD-2025-210448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy