CVE-2026-9260

Vulnerability

The Canon EOS Network Setting Tool versions 1.5.0 and earlier (included in EOS Utility 3.12.0 through 3.20.20) contain hard-coded cryptographic keys. These keys are used to protect authentication credentials during FTP/FTPS/SFTP communication tests, making the credentials recoverable if the keys are known. [1]

Exploitation

An attacker with access to the software binary can extract the static keys and use them to decrypt or retrieve stored authentication credentials transmitted or stored by the tool. No special privileges or user interaction beyond normal usage of the test function is required. [1]

Impact

Successful exploitation leads to disclosure of credentials (usernames and passwords) configured for FTP/FTPS/SFTP servers. This could enable unauthorized access to those external servers, compromising the confidentiality of the stored authentication data. [1]

Mitigation

Canon has released EOS Utility version 3.20.21 (or later), which includes an updated EOS Network Setting Tool that removes the hard-coded keys. Users should upgrade to the latest EOS Utility version. No workaround is available. [1]