Buffer overflow in WebService Authentication processing of Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera MF656Cdw/Satera MF654Cdw/Satera MF551dw/Satera MF457dw firmware v05.07 and earlier sold in Japan. Color imageCLASS MF656Cdw/Color imageCLASS MF654Cdw/Color imageCLASS MF653Cdw/Color imageCLASS MF652Cdw/Color imageCLASS LBP633Cdw/Color imageCLASS LBP632Cdw/imageCLASS MF455dw/imageCLASS MF453dw/imageCLASS MF452dw/imageCLASS MF451dw/imageCLASS LBP237dw/imageCLASS LBP236dw/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II/imageCLASS X LBP1238 II firmware v05.07 and earlier sold in US. i-SENSYS MF657Cdw/i-SENSYS MF655Cdw/i-SENSYS MF651Cdw/i-SENSYS LBP633Cdw/i-SENSYS LBP631Cdw/i-SENSYS MF553dw/i-SENSYS MF552dw/i-SENSYS MF455dw/i-SENSYS MF453dw/i-SENSYS LBP236dw/i-SENSYS LBP233dw/imageRUNNER 1643iF II/imageRUNNER 1643i II/i-SENSYS X 1238iF II/i-SENSYS X 1238i II/i-SENSYS X 1238P II/i-SENSYS X 1238Pr II firmware v05.07 and earlier sold in Europe.
The vulnerability (CWE-787 — out-of-bounds write) occurs in the component responsible for processing WebService authentication requests. An attacker in the network segment to which the device is connected can send a specially crafted network request that causes a buffer overflow in the device's memory. The consequence may be overwriting critical memory areas, which leads either to device suspension (DoS) or arbitrary code execution (RCE). The attack requires no authentication or user interaction.
An attacker can gain full control of the device by executing arbitrary code or permanently disable its operation. In case of RCE, the device can be used as an entry point for further penetration of the internal network.
Firmware of affected devices should be updated to a version newer than v05.07, applying patches available from the manufacturer according to references published by Canon PSIRT (https://psirt.canon/advisory-information/cp2025-001/). Until the patch is installed, it is recommended to restrict network access to the WebService interface of the devices — for example, by isolating printers in a dedicated VLAN or blocking access to them from untrusted network segments.
Firmware version v05.07 and earlier for a wide range of Canon devices sold in Japan (Satera MF656Cdw, MF654Cdw, MF551dw, MF457dw), USA (Color imageCLASS MF656Cdw/MF654Cdw/MF653Cdw/MF652Cdw/LBP633Cdw/LBP632Cdw, imageCLASS MF455dw/MF453dw/MF452dw/MF451dw/LBP237dw/LBP236dw, imageCLASS X MF1238 II/MF1643i II/MF1643iF II/LBP1238 II) and Europe (i-SENSYS MF657Cdw/MF655Cdw/MF651Cdw/LBP633Cdw/LBP631Cdw/MF553dw/MF552dw/MF455dw/MF453dw/LBP236dw/LBP233dw, imageRUNNER 1643iF II/1643i II, i-SENSYS X 1238iF II/1238i II/1238P II/1238Pr II).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCanon Imageclass Lbp236dw
HWCanonwszystkie wersjeCanon Imageclass Lbp236dw Firmware
OSCanon≤ 05.07Canon Imageclass Lbp237dw
HWCanonwszystkie wersjeCanon Imageclass Lbp237dw Firmware
OSCanon≤ 05.07Canon Imageclass Lbp632cdw
HWCanonwszystkie wersjeCanon Imageclass Lbp632cdw Firmware
OSCanon≤ 05.07Canon Imageclass Lbp633cdw
HWCanonwszystkie wersjeCanon Imageclass Lbp633cdw Firmware
OSCanon≤ 05.07Canon Imageclass Mf451dw
HWCanonwszystkie wersjeCanon Imageclass Mf451dw Firmware
OSCanon≤ 05.07Canon Imageclass Mf452dw
HWCanonwszystkie wersjeCanon Imageclass Mf452dw Firmware
OSCanon≤ 05.07Canon Imageclass Mf453dw
HWCanonwszystkie wersjeCanon Imageclass Mf453dw Firmware
OSCanon≤ 05.07Canon Imageclass Mf455dw
HWCanonwszystkie wersjeCanon Imageclass Mf455dw Firmware
OSCanon≤ 05.07Canon Imageclass Mf652cdw
HWCanonwszystkie wersjeCanon Imageclass Mf652cdw Firmware
OSCanon≤ 05.07Canon Imageclass Mf653cdw
HWCanonwszystkie wersjeCanon Imageclass Mf653cdw Firmware
OSCanon≤ 05.07Canon Imageclass Mf654cdw
HWCanonwszystkie wersjeCanon Imageclass Mf654cdw Firmware
OSCanon≤ 05.07Canon Imageclass Mf656cdw
HWCanonwszystkie wersjeCanon Imageclass Mf656cdw Firmware
OSCanon≤ 05.07Canon Imageclass X Lbp1238 Ii
HWCanonwszystkie wersjeCanon Imageclass X Lbp1238 Ii Firmware
OSCanon≤ 05.07Canon Imageclass X Mf1238 Ii
HWCanonwszystkie wersjeCanon Imageclass X Mf1238 Ii Firmware
OSCanon≤ 05.07Canon Imageclass X Mf1643if Ii
HWCanonwszystkie wersjeCanon Imageclass X Mf1643if Ii Firmware
OSCanon≤ 05.07
Related vulnerabilities
Buffer overflow in CPCA Resource Download process of Office / Small Office Multifunction Printers and Laser Pr...
Buffer overflow in the Address Book of Mobile Device function of Office / Small Office Multifunction Printers ...
Buffer overflow in mDNS NSEC record registering process of Office / Small Office Multifunction Printers and La...
Buffer overflow in NetBIOS QNAME registering and communication process of Office / Small Office Multifunction ...
Buffer overflow in IPP number-up attribute process of Office / Small Office Multifunction Printers and Laser P...