CVE-2024-12649
📋 TL;DR
A buffer overflow vulnerability in XPS data font processing allows attackers on the same network segment to crash affected Canon printers or execute arbitrary code. This affects multiple Canon small office multifunction printers and laser printers sold in Japan, US, and Europe. With a CVSS score of 9.8, this is a critical vulnerability requiring immediate attention.
💻 Affected Systems
- Satera MF656Cdw
- Satera MF654Cdw
- Color imageCLASS MF656Cdw
- Color imageCLASS MF654Cdw
- Color imageCLASS MF653Cdw
- Color imageCLASS MF652Cdw
- Color imageCLASS LBP633Cdw
- Color imageCLASS LBP632Cdw
- i-SENSYS MF657Cdw
- i-SENSYS MF655Cdw
- i-SENSYS MF651Cdw
- i-SENSYS LBP633Cdw
- i-SENSYS LBP631Cdw
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, lateral movement to other network systems, and persistent backdoor installation.
Likely Case
Printer becomes unresponsive (DoS) requiring physical restart, potentially disrupting business operations.
If Mitigated
Limited to denial of service if network segmentation prevents attacker access, but still requires device restart.
🎯 Exploit Status
Network access required, but no authentication needed. Buffer overflow (CWE-787) suggests straightforward exploitation once details are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware newer than v05.04 (check vendor advisory for exact version)
Vendor Advisory: https://psirt.canon/advisory-information/cp2025-001/
Restart Required: Yes
Instructions:
1. Visit Canon support website for your region. 2. Download latest firmware for your specific model. 3. Upload firmware to printer via web interface or USB. 4. Printer will restart automatically after update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate printers on separate VLAN or network segment to limit attack surface
Disable XPS Printing
allIf possible, disable XPS printing functionality to prevent exploitation vector
🧯 If You Can't Patch
- Segment printers from general user networks using firewall rules
- Monitor printer network traffic for suspicious XPS-related activity
🔍 How to Verify
Check if Vulnerable:
Check printer firmware version via web interface (typically http://printer-ip) under Maintenance or System SettingsCheck Version:
No CLI command - use printer web interface or physical panel to check firmware versionVerify Fix Applied:
Confirm firmware version is newer than v05.04 and check that printer remains responsive after receiving XPS print jobs📡 Detection & Monitoring
Log Indicators:
- Printer crash/restart logs
- Failed XPS print jobs
- Unusual network traffic to printer on port 9100/tcp (raw printing)
Network Indicators:
- Large or malformed XPS documents sent to printer
- Unexpected connections to printer from unauthorized hosts
SIEM Query:
source="printer_logs" AND (event="crash" OR event="restart") OR dest_ip="printer_ip" AND protocol="9100" AND packet_size>threshold🔗 References
- https://canon.jp/support/support-info/250127vulnerability-response
- https://psirt.canon/advisory-information/cp2025-001/
- https://www.canon-europe.com/support/product-security/#news
- https://www.usa.canon.com/support/canon-product-advisories/service-notice-regarding-vulnerability-measure-against-buffer-overflow-for-laser-printers-and-small-office-multifunctional-printers
