CVE-2026-23767
ESC/POS Protocol Lacks Authentication, Enabling Command Injection
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| epson | sb-h50_firmware | * |
| epson | tm-h6000v_firmware | * |
| epson | tm-l100_firmware | * |
| epson | tm-m10_firmware | * |
| epson | tm-m30_firmware | * |
| epson | tm-m30ii_firmware | * |
| epson | tm-m30ii-h_firmware | * |
| epson | tm-m30ii-s_firmware | * |
| epson | tm-m30ii-sl_firmware | * |
| epson | tm-m30iii_firmware | * |
| epson | tm-m30iii-h_firmware | * |
| epson | tm-m55_firmware | * |
| epson | tm-p20ii_firmware | * |
| epson | tm-p80ii_firmware | * |
| epson | tm-p20_firmware | * |
| epson | tm-p60ii_firmware | * |
| epson | tm-p80_firmware | * |
| epson | tm-t20ii_firmware | * |
| epson | tm-t20iii_firmware | * |
| epson | tm-t88vi_firmware | * |
| epson | tm-t88vi-ihub_firmware | * |
| epson | tm-t88vii_firmware | * |
| epson | ub-r04_firmware | * |
| epson | ub-e04_firmware | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23767 is a vulnerability in ESC/POS, a printer control language developed by Seiko Epson Corporation for POS printers. ESC/POS lacks built-in security mechanisms such as user authentication and command authorization, meaning any device on the same network can send commands to the printer without restriction.
Additionally, ESC/POS commands are transmitted over the network without encryption or integrity protection, allowing attackers on the same network to intercept or tamper with the communication.
The vulnerability affects Epson receipt printers and drivers that use ESC/POS commands, especially those communicating over TCP port 9100, which is commonly used for direct printing.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing any host on the same network to send arbitrary ESC/POS commands to your Epson POS printer without authentication or authorization.
Attackers could intercept unencrypted communication to disclose sensitive information or tamper with print jobs, potentially causing unauthorized printer operations or access to stored device information.
Such unauthorized control could disrupt business operations, lead to data leakage, or enable further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if Epson POS printers or devices using ESC/POS commands are accessible over the network, especially on TCP port 9100, which is the standard port for ESC/POS communication.
You can scan your network for devices listening on TCP port 9100 to identify potentially vulnerable printers.
- Use a network scanning tool or command such as: nmap -p 9100 <target_ip_range>
- Check if any hosts on your network accept connections on port 9100 without authentication.
Since ESC/POS commands are transmitted unencrypted and without authentication, any device responding on this port may be vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the affected printers and securing the communication environment.
- Place printers within a firewall-protected network to prevent unauthorized access.
- Avoid exposing printers directly to the internet.
- Use private IP addresses for printer operation to limit exposure.
- Implement network segmentation and IP address restrictions to limit which hosts can communicate with the printers.
- Use encrypted communication channels such as VPNs or tunneling mechanisms to protect data in transit.
Since ESC/POS lacks built-in authentication and encryption, securing the network environment and controlling access are critical to mitigating this vulnerability.