CVE-2025-64310

CVE-2025-64310 is a critical vulnerability in EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products, published on 2025-11-21. It stems from CWE-307: Improper Restriction of Excessive Authentication Attempts, where the web interfaces fail to limit login attempts, allowing attackers to brute-force administrative user passwords. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and potential for complete compromise.

Any unauthenticated attacker with network access to the projector can exploit this vulnerability remotely with low complexity and no user interaction required. By repeatedly attempting logins with guessed credentials, they can identify the administrative password, achieving high-impact unauthorized access that enables full control over confidentiality, integrity, and availability of the device.

Advisories detailing mitigations and patches are available from the Japan Vulnerability Notes (JVN) at https://jvn.jp/en/vu/JVNVU95021911/, Epson UK at https://www.epson.co.uk/en_GB/faq/KA-02041/contents?loc=en-us, and Epson Japan at https://www.epson.jp/support/misc_t/251120_oshirase.htm. Security practitioners should review these resources promptly for update instructions and protective measures.