cbcvebase.
CVE-2020-23575
published 2021-05-10

CVE-2020-23575: A directory traversal vulnerability exists in Kyocera Printer d-COPIA253MF plus. Successful exploitation of this vulnerability could allow an attacker to…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.77%
98.3th percentile
A directory traversal vulnerability exists in Kyocera Printer d-COPIA253MF plus. Successful exploitation of this vulnerability could allow an attacker to retrieve or view arbitrary files from the affected server.

Affected

1 ranges
VendorProductVersion rangeFixed in
kyocerad-copia253mf_plus_firmware<= 2vg_s000.002.561

Detection & IOCsextracted from sources · hover to see the quote

url/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm
url/wlmdeu%2f%2e%2e%2f%2e%2e
otherhttp.favicon.hash:-50306417
othericon_hash=-50306417
  • Match HTTP response body for /etc/passwd content indicating successful directory traversal exploitation
  • Look for GET requests targeting the /wlmeng/ path with directory traversal sequences (../) and null-byte injection (%00) to bypass path restrictions on Kyocera printers
  • The incomplete fix for CVE-2020-23575 introduced a variant using URL-encoded traversal via /wlmdeu path; monitor for both /wlmeng/ and /wlmdeu%2f%2e%2e%2f%2e%2e patterns
  • Use Shodan favicon hash -50306417 or FOFA icon_hash=-50306417 to identify exposed Kyocera printer instances for proactive scanning
  • ·The original CVE-2020-23575 fix was incomplete; Kyocera TASKalfa 4053ci printers through firmware 2VG_S000.002.561 remain vulnerable via a variant path (/wlmdeu), tracked as CVE-2023-34259
  • ·The traversal via /wlmdeu allows reading files requiring root privileges, indicating the vulnerability is not limited to world-readable files

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.