CVE-2025-2146
📋 TL;DR
A buffer overflow vulnerability in the WebService Authentication processing of Canon multifunction printers and laser printers allows network attackers to crash the device or execute arbitrary code with high privileges. This affects numerous Canon printer models sold in Japan, US, and Europe. The vulnerability has a critical CVSS score of 9.8 due to its network accessibility and potential for remote code execution.
💻 Affected Systems
- Satera MF656Cdw
- Satera MF654Cdw
- Satera MF551dw
- Satera MF457dw
- Color imageCLASS MF656Cdw
- Color imageCLASS MF654Cdw
- Color imageCLASS MF653Cdw
- Color imageCLASS MF652Cdw
- Color imageCLASS LBP633Cdw
- Color imageCLASS LBP632Cdw
- imageCLASS MF455dw
- imageCLASS MF453dw
- imageCLASS MF452dw
- imageCLASS MF451dw
- imageCLASS LBP237dw
- imageCLASS LBP236dw
- imageCLASS X MF1238 II
- imageCLASS X MF1643i II
- imageCLASS X MF1643iF II
- imageCLASS X LBP1238 II
- i-SENSYS MF657Cdw
- i-SENSYS MF655Cdw
- i-SENSYS MF651Cdw
- i-SENSYS LBP633Cdw
- i-SENSYS LBP631Cdw
- i-SENSYS MF553dw
- i-SENSYS MF552dw
- i-SENSYS MF455dw
- i-SENSYS MF453dw
- i-SENSYS LBP236dw
- i-SENSYS LBP233dw
- imageRUNNER 1643iF II
- imageRUNNER 1643i II
- i-SENSYS X 1238iF II
- i-SENSYS X 1238i II
- i-SENSYS X 1238P II
- i-SENSYS X 1238Pr II
📦 What is this software?
Imageclass X Lbp1238 Ii Firmware by Canon
Imageclass X Mf1643i Ii Firmware by Canon
Imageclass X Mf1643if Ii Firmware by Canon
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full device control, allowing attackers to install persistent malware, steal sensitive documents, or pivot to other network systems.
Likely Case
Denial of service causing printer unresponsiveness and disruption of printing services, potentially requiring physical reset or service.
If Mitigated
Limited impact if printers are isolated on separate VLANs with strict network access controls and regular monitoring.
🎯 Exploit Status
The vulnerability requires network access to the printer but no authentication. Exploitation complexity is low due to the buffer overflow nature and network accessibility.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version newer than v05.07
Vendor Advisory: https://psirt.canon/advisory-information/cp2025-001/
Restart Required: Yes
Instructions:
1. Identify your printer model and current firmware version
2. Visit the appropriate Canon support page for your region
3. Download the latest firmware update for your specific model
4. Follow Canon's firmware update instructions for your device
5. Verify the firmware version after update completes
🔧 Temporary Workarounds
Network Segmentation
allIsolate printers on separate VLANs with strict firewall rules to limit access only to authorized users and systems.
Disable WebService Authentication
allIf not required, disable WebService Authentication functionality through the printer's web interface settings.
🧯 If You Can't Patch
- Segment printers on isolated network VLANs with strict access controls
- Implement network monitoring and intrusion detection for printer network traffic
- Disable unnecessary printer services and features
- Restrict printer access to specific IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check printer firmware version via web interface (typically http://printer-ip/) under Settings > Device Information > Firmware VersionCheck Version:
No CLI command - check via printer web interface or physical display panelVerify Fix Applied:
Verify firmware version is newer than v05.07 after applying update📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to printer web services
- Printer crash/restart events in system logs
- Multiple failed authentication attempts followed by successful unusual requests
Network Indicators:
- Unusual traffic patterns to printer web service ports (typically 80/443)
- Large authentication payloads sent to printer
- Sudden printer unresponsiveness followed by network scans
SIEM Query:
source="printer_logs" AND (event_type="authentication_failure" OR event_type="service_crash") AND device_model IN (affected_models)🔗 References
- https://canon.jp/support/support-info/250127vulnerability-response
- https://psirt.canon/advisory-information/cp2025-001/
- https://www.canon-europe.com/support/product-security/#news
- https://www.usa.canon.com/support/canon-product-advisories/service-notice-regarding-vulnerability-measure-against-buffer-overflow-for-laser-printers-and-small-office-multifunctional-printers
