Vulnerability Reference: 9100-13-GEN-002
Release Date: 08/16/2019
Description: Some Epson products contain a secure embedded web server that, out of the box, is protected using an Epson generated self-signed certificate.
Impact: Accessing the web server will likely result in a security warning or pop-up window notifying about the self-signed certificate. The warning states that the certificate is not known or trusted from a reputable Certificate Authority. Also, any network penetration testing will also notify about this certificate for the same reasons.
Solution: Customers can choose to by-pass these warnings and trust that the product web server they are accessing does indeed belong to the product that they are targeting. Customers who are not comfortable with these warnings are invited to purchase their own certificates from a trusted Certificate Authority and install them in the printer. Some customers may be capable of setting up their own Certificate Authority and generating their own certificates.
Installation of these certificates within their Operating System and Network Penetration Testing tools can alleviate the warnings. Please see the Instruction Guide to guide customers with this effort. Epson makes this document available as general guidance only. Users, and not Epson, are ultimately responsible for their own POS system security, including security certificate practices.