Mahmoud Al-Qudsi

**Name of the Vulnerable Software and Affected Versions** Xerox VersaLink devices versions xx.42.01 through xx.50.61 Xerox VersaLink devices versions prior to xx.61.23 **Description** The issue allows remote attackers to brick the device via a crafted TIFF file in an unauthenticated HTTP POST request, resulting in a permanent denial of service. This occurs because image parsing causes a reboot, but image parsing is restarted as soon as the boot process finishes, creating a boot loop. However, this boot loop can be resolved by a field technician. The TIFF file must have an incomplete Image Directory. **Recommendations** For Xerox VersaLink devices versions xx.42.01 through xx.50.61, consider disabling the image parsing function until a patch is available. For Xerox VersaLink devices versions prior to xx.61.23, restrict access to the device to prevent unauthenticated HTTP POST requests until a patch is available. As a temporary workaround, consider blocking unauthenticated access to the device in the settings to minimize the risk of exploitation.