CVE-2023-50916

HIGH

Kyocera Device Manager < 3.1.1213.0 - NTLM Credential Exposure via UNC Path Authentication Bypass

Title source: llm

Description

Kyocera Device Manager before 3.1.1213.0 allows NTLM credential exposure during UNC path authentication via a crafted change from a local path to a UNC path. It allows administrators to configure the backup location of the database used by the application. Attempting to change this location to a UNC path via the GUI is rejected due to the use of a \ (backslash) character, which is supposed to be disallowed in a pathname. Intercepting and modifying this request via a proxy, or sending the request directly to the application endpoint, allows UNC paths to be set for the backup location. Once such a location is set, Kyocera Device Manager attempts to confirm access and will try to authenticate to the UNC path; depending on the configuration of the environment, this may authenticate to the UNC with Windows NTLM hashes. This could allow NTLM credential relaying or cracking attacks.

References (3)

Core 3

Core References

Vendor Advisory

https://www.kyoceradocumentsolutions.us/en/about-us/pr-and-award-certifications/press/kyocera-device-manager-cve-2023-50196-vulnerability-solution-update.html

Third Party Advisory

https://www.trustwave.com/en-us/resources/security-resources/security-advisories/

Exploit, Third Party Advisory

https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-001_kyocera-v2.txt

Scores

CVSS v3 7.2

EPSS 0.0463

EPSS Percentile 90.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

kyocera/device_manager < 3.1.1213.0

Published Jan 10, 2024

Tracked Since Feb 18, 2026