Vulnerability Reference: CVE-2025-66635
Description: An administrator password is required to log in to WebConfig. A malicious third party who obtains the administrator password can execute arbitrary commands by logging in to Web Config and entering a specific string on a specific screen.
Impact: The product settings could be reset or ping packets could be sent to other devices. There have been no reports of attacks exploiting this vulnerability to date.
Solution: We strongly recommend applying a fixed firmware or taking workaround to mitigate the impact of this vulnerability.
- Apply fixed firmware
For products that are currently on sale, we have released fixed firmware as listed below. Please download it from the Epson website and apply the update.
- Take workaround
To ensure the security of your Epson product, we recommend end-users and their administrators to implement and maintain industry-standard security controls and practices in setting up and managing password and network to which the product is connected.- Administator Password
- Please set a unique password for each product.
- The administator password should be a complex string of characters that is difficult for others to guess, such as eight or more characters that contain not only English letters but also symbols and numbers.
- Internet Connection
- Do not connect the product directly to the Internet; install it within a network protected by a firewall.
- Please set a private IP address for the product.
- Administator Password
For more information on securing your Epson product, please refer to the "Security Guidelines" on the Security for Printers and MFPs website.