An arbitrary file reading vulnerability has been identified in printers with the Printer Dashboard component. Users of affected versions of Printer firmware are urged to implement the changes described in the Corrective Action section below.
Who should read this bulletin
Customers with printers running Sigma D4.3.3 or prior firmware with OpenCard plugin and Printer Dashboard enabled. Customers with this configuration are advised to upgrade to the latest version and apply the remediation steps described herein.
Bulletin details
Impact of Vulnerability
The arbitrary file access vulnerability exists in printers that have the Printer Dashboard and OpenCard plug-in components enabled. This vulnerability could allow an attacker with network access to the Printer Dashboard interface to access arbitrary files housed on the printer.
Mitigating Factors
- Exploiting this vulnerability is not possible when the Printer Dashboard port has been disabled. Disabling the Printer Dashboard port is an existing recommended best practice.
- Exploiting this vulnerability is not possible when the OpenCard plugin is disabled (default configuration).
- There are no known cases involving the exploitation of this vulnerability among Entrust's customers.
Corrective Action
Entrust recommends that the affected printers be updated to D4.3.3-SP1 firmware, which is available on the Entrust Sigma DS3 Direct-to-Card Printer Support web page. This will resolve the arbitrary file reading vulnerability as well as bring forward the printer’s operating system and patches to 2025 levels.
For systems where printer configuration is not required during card production, the Printer Dashboard port can be disabled to minimize the attack surface. The Printer Dashboard can be re-enabled when printer servicing is required.
Support
Entrust Support can be contacted using our standard methods:
- Email: [email protected]
- Support Portal: https://trustedcare.entrust.com/login
- Phone: support numbers
To setup a new Trusted Care account, where you can view and receive future security bulletins, please email: [email protected].
© Copyright 2025 Entrust Corporation. All rights reserved.
Entrust is a trademark or a registered trademark of Entrust, Inc. in the United States and certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. or Entrust Corporation. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries.
Given the very nature of security vulnerabilities, security bulletins are intended to be kept to a small group of individuals. Security bulletins are to be distributed within your company only, and only on a need to know basis.
The information in this bulletin is proprietary and confidential to Entrust Corporation. and its subsidiaries, and any disclosure of this information is governed by the confidentiality terms in the agreement pursuant to which you obtained a license for the referred to Entrust products.
The information in this bulletin is provided "as is" by Entrust without any representations, conditions and/or warranties of any kind, whether express, implied, statutory, by usage of trade, or otherwise. Entrust specifically disclaims any and all representations, conditions, and/or warranties of merchantability, satisfactory quality, and/or fitness for a particular purpose. To the maximum extent permitted by applicable law, in no event will Entrust be liable for any damages, losses or costs arising from your or any third party actions or omissions in connection with this bulletin. The only representations, conditions and/or warranties that may be applicable to any Entrust products that you may have are those contained in the agreement pursuant to which you obtained a license for those Entrust products.