KYOCERA Command Center RX (CCRX) Security Vulnerability

Japan, July 21, 2023 – KYOCERA Document Solutions Inc., announced a security vulnerability has been confirmed in KYOCERA Command Center RX (hereinafter referred to as "CCRX"), which allows users to check and change various settings of multifunction devices provided by Kyocera Document Solutions over the network.
The following is an overview of the issue and how to resolve it. As of the date of publication of this notice, we have not confirmed any attacks that take advantage of this vulnerability.

【Vulnerability description】

1. Path Traversal 

CCRX has a Path Traversal vulnerability. Path Traversal is an attack on web applications. By manipulating the value of the file path, an attacker can gain access to the file system, including source code and critical system settings.
CVE ID: CVE-2023-34259

2. Denial of Service (DoS)

There is a vulnerability that makes CCRX unusable by a DoS attack. By manipulating the value of the file path, CCRX may become unresponsive.
CVE ID: CVE-2023-34260

3. User Enumeration

By trying to login many times, an attacker can grasp if there is a login user name in data base for device at CCRX login.
CVE ID: CVE-2023-34261


As a countermeasure, we provide firmware that fixed Vulnerability issues. Please contact your local distributor to apply the firmware. As for “3. User Enumeration”, Kyocera Document Solutions recognizes that security risk is low level.

【Affected Products】

Color MFPs:
TASKalfa 2554i、TASKalfa 3554i、TASKalfa 4054ci、TASKalfa 5053ci、TASKalfa 5054ci、TASKalfa 6054ci、TASKalfa 7054ci、TASKalfa 8353ci。

Monochrome MFPs:
TASKalfa 5004i、TASKalfa 6004i、TASKalfa 7004i、TASKalfa 8003i、TASKalfa 9003i。

Color printer:
ECOSYS M2540dn、ECOSYS M4125idn。

Monochrome printers:
ECOSYS P3145dn


Kyocera Document Solutions would like to thank Mr. Stefan Michlits of SEC Consult (, an Austrian security consulting services company, who discovered this vulnerability.