Canon imageCLASS MF654Cdw Printer Flaw Allows Remote Code Execution Without Authentication
A stack-based buffer overflow in Canon imageCLASS MF654Cdw printers (CVE-2025-14236) allows network-adjacent attackers to execute arbitrary code without authentication, with a patch now available.
Canon has released a security update addressing a critical vulnerability in its imageCLASS MF654Cdw printers that could allow unauthenticated, network-adjacent attackers to execute arbitrary code on affected devices. The flaw, disclosed by the Zero Day Initiative as ZDI-26-207 and tracked as CVE-2025-14236, carries a CVSS score of 8.8, reflecting its high impact on confidentiality, integrity, and availability.
The vulnerability resides in the `dtdc_addr_importSub` method of the printer's firmware. The issue is a classic stack-based buffer overflow: the software fails to properly validate the length of user-supplied data before copying it to a fixed-length stack buffer. An attacker can send a specially crafted request to the printer, overflow the buffer, and gain the ability to execute arbitrary code in the context of the device. No authentication is required to trigger the flaw, making it particularly dangerous for printers exposed on internal networks.
The vulnerability was demonstrated at the Pwn2Own hacking competition and reported by researcher TwinkleStar03 (@_twinklestar03) from DEVCORE Intern). The disclosure timeline shows that even seemingly low-risk devices like office printers remain a prime target for attackers seeking initial access to corporate networks. Printers often run full operating systems and are frequently left unpatched, making them a soft target for lateral movement.
Canon has issued a security update to correct the vulnerability. Users are advised to apply the patch as soon as possible. Canon has provided details on its European support portal at https://www.canon-europe.com/support/product-security/. The disclosure timeline shows the vulnerability was reported to Canon on November 11, 2025, and the coordinated public release occurred on March 16, 2026.
This advisory is part of a broader trend of critical vulnerabilities being discovered in enterprise printers and multifunction devices. Similar flaws have been found in HP, Xerox, and Brother devices in recent years, often exploited at Pwn2Own events. Organizations should treat printer firmware updates with the same urgency as server or workstation patches, as these devices are increasingly targeted for initial access and persistence.
For administrators, the primary mitigation is to apply the Canon update immediately. Until patched, limiting network access to printers via firewall rules and disabling unnecessary services can reduce exposure. Given the CVSS 8.8 rating and the lack of authentication required, this vulnerability should be prioritized for remediation in any environment using the imageCLASS MF654Cdw.