Canon imageCLASS MF654Cdw Printer Flaw Allows Remote Code Execution via TrueType Font Parsing

A critical vulnerability in Canon imageCLASS MF654Cdw printers, designated CVE-2025-14235, allows network-adjacent attackers to achieve remote code execution without authentication. The flaw, disclosed by Zero Day Initiative as ZDI-26-206, was demonstrated at the Pwn2Own hacking contest and carries a CVSS score of 8.8.

The vulnerability resides in the printer's parsing of TrueType fonts. The issue results from improper validation of user-supplied data, leading to a write past the end of an allocated object. An attacker can exploit this to execute arbitrary code in the context of the device, potentially gaining full control over the printer.

Canon has released a security update to address the flaw. Users can find more details and the update at Canon's product security page: https://www.canon-europe.com/support/product-security/. The vulnerability was reported to Canon on November 11, 2025, and the coordinated public disclosure occurred on March 16, 2026.

The flaw was discovered and reported by the research team PHP HOOLIGANS, who demonstrated the exploit at Pwn2Own. This contest highlights critical vulnerabilities in widely used devices, often leading to patches and improved security.

Given the network-adjacent attack vector, the vulnerability is particularly dangerous in enterprise environments where printers are often connected to internal networks. Successful exploitation could allow attackers to pivot to other systems or exfiltrate sensitive data.

Canon imageCLASS MF654Cdw printers are common in small to medium-sized businesses. Administrators are urged to apply the security update immediately and consider network segmentation to limit exposure. This vulnerability underscores the importance of securing IoT devices, which are increasingly targeted by attackers.