OS-S Security Advisory 2016-19: Epson WorkForce multi-function printers do not use signed firmware images and allow unauthorized malicious firmware-updates (CVSS 10)
Epson multi function printers support firmware-Updates via USB and HTTP.
When using HTTP, the update is initialized with a GET request and the
firmware is uploaded via a POST request. No authorization is required.
An attacker can exploit this unauthorized mechanism using
Cross-Site-Request-Forgery (CSRF). Because the firmware itself is
neither encrypted nor digitaly signed an attacker can create malicious
firmware images including backdoors and other malware.