Epson Security Guides & Notifications
- Guides
- Security Notifications
- Vulnerability Disclosure Policy
- Report a Vulnerability
- Radio Equipment Directive (RED)
Epson Security Manifesto
To ensure security for all its customers, Epson uses unified security frameworks and consistent methodologies throughout the design and delivery of all its products, from office/home devices to commercial/industrial receipt printers and large format printers (LFPs).
Security Guidebook for Corporate Products
Strengthen the functional network capabilities of corporate printers and MFP to improve user-friendliness with a variety of security features for computers and servers when connecting to and using a network.
Security Guidebook for Product
Security Guidebook:
Customers Using a Home Network Environment
Security Guidebook:
Customers Using a Corporate Intranet Environment
Security Guidebook:
Customers Using POS Products. Select this regardless of your network environment.
Security Guidebook:
Home and Business Printers
Security Guidebook:
Large Format Printers
Security Guidebook:
Scanners
Security Guidebook:
POS Printers
Security Guidebook:
Label Printers
Function List and Supported Models
Business Inkjet Printer Function
List and supported models:
Large Format and Commercial Printer Function
List and supported models:
Scanner Function
List and supported models:
Projector Function
List and supported models:
Security Whitepaper and Information for Solutions
Security Whitepaper for
Epson Print Admin:
Security Whitepaper for
Epson Device Admin:
Security Whitepaper for
Document Capture Pro Server:
Security Whitepaper for
Epson Remote Services:
Please select a security notification below for details:
| Security Notification | Product | ID | Release Date |
|---|---|---|---|
| Command Execution Vulnerability in Epson POS Printers Connected to a Network | All products implementing ESC/POS | CVE-2026-23767 | 05/03/2026 |
| Vulnerability that allows arbitrary command execution in the printer's Web Config | -- | CVE-2025-66635 | 16/12/2025 |
| Vulnerability in EPSON WebConfig / Epson Web Control for Projector Products | -- | CVE-2025-64310 | 20/11/2025 |
| Local privilege escalation in Windows OS through installed EPSON printers installed in non-English language | -- | CVE-2025-42598 | 18/04/2025 |
| Insecure Initial Password Configuration in Epson WebConfig Vulnerability | -- | CVE-2024-47295 | 01/10/2024 |
| Cross-Site Scripting (XSS) Vulnerability | -- | CVE-2023-23572 | 18/09/2023 |
| Vulnerability in Web Config in Printer Products | -- | Click Here | 03/08/2023 |
| Vulnerability in Web Config in Printers and Network Interface Products | -- | CVE-2023-27520 | 09/06/2023 |
| Security Measures for Epson Network Products | -- | Click Here | 26/11/2020 |
Epson Vulnerability Disclosure Policy
Seiko Epson Corporation and its sales companies ("we", "us", "our") collect information on security vulnerabilities in our products and services (the "Products"), investigate their impact and disclose information as necessary to ensure that our customers can use our Products with confidence.
1. Application
This policy applies to all vulnerabilities (*1) reported to us. Customers are requested to read and comply with this policy carefully before reporting vulnerabilities.
*1: Vulnerability for the purposes of this policy is defined as an attack against a product that can adversely affect its confidentiality, integrity or availability.
2. How to report vulnerabilities
If you discover a new vulnerability (undisclosed vulnerability) for your product, please submit a report via the link below.
3. The process after a vulnerability report
3.1 Acknowledgement of receipt
The customer submitting the report (the "Rapporteur") will receive an acknowledgement of receipt from us within five working days, starting from the day after the day on which the report is sent.
3.2 Identification of vulnerabilities
The received vulnerabilities are checked by our technical team and the results are fed back to the reporter. In some cases, we may decide that the vulnerability is "not covered by the vulnerability response". For example, in the following cases.
- Known vulnerabilities.
- Product support is no longer available.
3.3 Addressing vulnerabilities
If we determine that the product is vulnerable, we will provide the reporter with a fixed module that addresses the vulnerability or provide a workaround. Please note that when we provide a fixed module, we may ask the reporter to confirm that the vulnerability has been properly addressed.
3.4 Vulnerability disclosure.
If it is deemed necessary to inform customers other than the reporter, the security advisory will be posted on the following website as soon as the information can be disclosed, so that customers can implement appropriate measures.
In addition, if the reporting party makes the disclosure, the reporting party is requested to coordinate the content of the disclosure (e.g. not including information that may give the attacker an advantage) and the schedule of the disclosure.
4. About Rewards
We sincerely appreciate those who take the time and effort to report vulnerabilities in accordance with this policy, but we do not offer any compensation for reporting vulnerabilities. Thank you for your understanding.
5. Prohibitions against the reporter
-
With regard to the disclosure of vulnerabilities The reporting party must not disclose vulnerability-related information to third parties without a valid reason.
However, if you need to disclose vulnerability-related information for legitimate reasons, please consult us in advance. -
With regard to when vulnerabilities are discovered and verified Please do not do the following in order to search for and verify vulnerabilities:
- Violating applicable laws and regulations
- Accessing unnecessary, excessive or voluminous data
- Altering data on our systems or services
- Using high-intensity invasive or destructive scanning tools to discover vulnerabilities
- Attempting or reporting any form of denial of service, such as overwhelming our services with a high volume of requests
- Interfering with our services or systems
From 1st August 2025, all wireless devices placed on the EU, UK and EFTA markets must comply with the updated Radio Equipment Directive (RED). ‘Placed on the Market’ refers to when a product has entered the region and cleared customs.
What’s the goal?
To make sure devices are:
- Safe to use
- Secure against cyber threats
- Compatible with other technology
- Efficient in using radio frequencies
What’s covered?
All products that the Directive defines as electronic products that either intentionally emit and receive radio waves or include an accessory allowing the intentional emission and reception of radio waves for communicative purposes. In general, if a device actively initiates data exchange with the internet, it falls within the scope of RED.
Some examples include:
- Wi-Fi enabled printers, projectors and scanners
- Phones
- Wi-Fi / Bluetooth devices
- GPS
- Radios
Why it matters:
Manufacturers must encrypt data, protect user privacy, and meet strict safety standards.
More Information:
Discover how RED impacts your Epson product by clicking the Learn More button.
RED Directive Frequently asked questions
General
What is the RED Directive?
What changes will come into force in August 2025?
What is required to be compliant?
What type of products are impacted?
How do I know if my device is impacted?
Whose responsibility is it to ensure compliance?
Are Epson products compliant?
What do I need to do if I purchased my device before August 2025?
What do I need to do if I purchase a device after August 2025?
For business users, your own system may be configured to non-RED protocols. In order to communicate with your system, you may need to enable some legacy protocols.
How do I know which firmware version I need, and where can I download it?
You do not need to download firmware.
- All Epson devices that are placed on the EU, UK and EFTA markets after 1st August 2025 will have been proactively configured to meet the new RED security requirements.
- Products placed on the EU, UK and EFTA markets before 1st August 2025 are exempt from the Directive.
- Firmware updates will automatically detect what settings are required.
- (‘Placed on the EU, UK and EFTA markets’ refers to when product has entered the region and cleared customs)
Issues with new printers
Why is my new printer not working?
The first step it to ensure you have the latest driver and firmware installed. A RED compliant printer may not necessarily be able to communicate within legacy systems. If this is the case, the user will need to manually enable port 9100 and LPR to connect to legacy network settings.
Please refer to the Epson support site for further support: Radio Equipment Directive (RED)
Why isn’t my printer working following a firmware update?
The first step it to ensure you have the latest driver and firmware installed. If, due to interoperability issues, you have disabled the RED compliance settings to enable the printer to communicate within a legacy system, the firmware update will have reset the RED compliance configuration to standard as it’s a legal requirement defined by the RED Directive.
The user will need to manually enable port 9100 and LPR to reconnect to legacy network settings.
Please refer to the Epson support site for further support: Radio Equipment Directive (RED)
Why isn’t my scanner working?
The first step it to ensure you have the latest driver and firmware installed. If, due to interoperability issues, you have disabled the RED compliance setting, the firmware update will have reset the RED compliance configuration to standard as it’s a legal requirement as defined by the RED Directive.
You may need to change your settings back to your legacy scan settings. Or you may need to set your machine back to the factory default settings and follow the menu system prompts to reconfigure.
Please refer to the Epson support site for further support: Radio Equipment Directive (RED)
