PoC for CVE-2023-22960 that I discovered. This vulnerability allows an attacker to bypass the credentials brute-force prevention mechanism of the Embedded Web Server interface of all Lexmark printer models that have a firmware version released before 01/2023. This issue affects both username-password and PIN authentication.
Official security advisory -> https://publications.lexmark.com/publications/security-alerts/CVE-2023-22960.pdf
PoC tested against:
- Lexmark MX622adhe
- Lexmark CX735adse
- Lexmark MX521ade
In this video I demonstrate the issue as well as how to write an http(s) login bruteforce script with Python.
https://www.youtube.com/watch?v=HuAqTScr_3s
Without the brute-force prevention bypass:
Applying the brute-force prevention bypass:
