March 17, 2026
Revised on April 8, 2026
Dear customers,
We would like to thank you for your continued support towards FUJIFILM Business Innovation products.
Vulnerabilities (CVE-2026-2251/2252) have been found in Xerox FreeFlow Core, which is included in the Xerox FreeFlow Digital Workflow Collection.
We apologize for any inconvenience this may cause, but please check if your Xerox FreeFlow Core is compatible with the target version, and if so, take the following actions.
At the time of posting this notice, we have not confirmed any attacks that exploit this vulnerability.
We have found the following vulnerabilities in our product Xerox FreeFlow Core that lead to multiple remote code execution.
- CVE-2026-2251(Critical): Path Traversal leading to Remote Code Execution (RCE)(CWE-22)
- CVE-2026-2252(High): ML External Entity (XXE) vulnerability resulting in Server-Side Request Forgery (SSRF) (CWE-611, CWE-918)
Xerox FreeFlow Core 7.0.0~7.0.11
- How to check the version
- After logging in, click the “?” mark in the upper right corner of the screen and select the “FreeFlow Core Information” menu.
-
- Check the version on the screen that appears.
The vulnerability disclosed this time potentially exists in Xerox FreeFlow Core, which our company provides and supports. However, since communication with the printers we support uses IPP, closing the port related to communication with JMF commands does not cause any issues.
Furthermore, as long as the system is operated within the scope of our provided functionalities and under an environment protected by properly configured firewalls, the vulnerability can be mitigated by following the "Workaround" described below.
As a permanent measure, we have prepared a patch module version that addresses this vulnerability.
Supported Product: Xerox FreeFlow Core 8.1.0
The patch module can be downloaded from the URL below.
Installation Requirements: A valid license for Xerox FreeFlow Core 8.1.0 is required for installation. Please contact our sales representative for license inquiries.
Important Notice: If you install the patch without obtaining the necessary license, Xerox FreeFlow Core 8.1.0 will not function properly.
If Xerox FreeFlow Core 8.1.0, which includes the countermeasures described above, is not installed, and the system is protected from unauthorized external access by a properly configured firewall, there is no risk from this vulnerability.
Furthermore, by implementing the measures below, the risk of the vulnerability can be reduced regardless of the network environment in which Xerox FreeFlow Core is used.
- Close port 7751, which is the receiving port for certain messages of JMF (Job Messaging Format) *1.
- Do not open port 4004, which is the receiving port for certain messages of JMF (Job Messaging Format)*1.
- *1 The following is how to check the status of a specific port (7751/4004) and how to stop if connection is allowed.
- Customers who have a software support contract
Please contact the Fujifilm Business Innovation subsidiary/distributor where you purchased your software. - Customers who do not have a software support contract
Please contact the distributor where you purchased your software.