CVE-2026-9262

Vulnerability

Canon EOS Network Setting Tool versions 1.5.0 and earlier (bundled with EOS Utility Ver.3.12.0 through Ver.3.20.20) use a non-secure protocol as the default FTP configuration [1]. This means that FTP connections, rather than secure FTPS or SFTP, are the default choice when performing communication tests within the tool. Affected software includes both Windows and macOS editions [1].

Exploitation

An attacker with network access (e.g., via man-in-the-middle position) can intercept FTP traffic initiated by the tool during connection testing. No special authentication or user interaction beyond using the tool's default FTP settings is required; the tool will connect using plaintext FTP by default unless the user manually selects a secure alternative [1].

Impact

Successful exploitation allows an attacker to capture authentication credentials (username and password) transmitted in cleartext during FTP/FTPS/SFTP communication tests [1]. This leads to information disclosure of sensitive credentials, which could then be reused to access other systems or services the victim operates.

Mitigation

Canon has released EOS Utility Ver.3.20.21 (which includes the fixed EOS Network Setting Tool) as of the publication date [1]. Users should update to this or a later version. No workaround is documented for versions prior to the fix; users should avoid using the FTP test feature until updated [1].