CVE-2026-9259

Vulnerability

Canon EOS Network Setting Tool versions 1.5.0 and earlier (included in EOS Utility versions 3.12.0 through 3.20.20) improperly validate server certificates during FTP, FTPS, and SFTP communication tests. This allows a malicious server to present a fraudulent certificate and be accepted by the tool. [1]

Exploitation

An attacker with network position to intercept or redirect traffic (e.g., man-in-the-middle) can set up a rogue FTP/FTPS/SFTP server with a self-signed or otherwise invalid certificate. When the user initiates a communication test from the tool, the tool will connect to the attacker's server without proper certificate validation, allowing the attacker to capture the credentials entered for the test. [1]

Impact

Successful exploitation enables the attacker to obtain the authentication credentials (username and password) used for the FTP/FTPS/SFTP communication test. These credentials could then be reused to access the legitimate server or other services if the same credentials are reused. [1]

Mitigation

Canon has released EOS Utility version 3.20.21, which includes an updated EOS Network Setting Tool that fixes the certificate validation issue. Users should update to EOS Utility 3.20.21 or later. No workaround is provided for earlier versions. [1]