Canon imageCLASS MF654Cdw Printer Flaw CVE-2025-14237 Allows RCE via Malicious Fonts
A critical integer overflow in Canon imageCLASS MF654Cdw printers, discovered at Pwn2Own, lets unauthenticated attackers execute arbitrary code by sending a crafted TrueType font.
Canon has released a security update for a critical vulnerability in its imageCLASS MF654Cdw printers that could allow remote attackers to take full control of the device. The flaw, tracked as CVE-2025-14237 and carrying a CVSS score of 8.8, was discovered by Team Neodyme during the Pwn2Own hacking competition and disclosed on March 16, 2026.
The vulnerability resides in the printer's TrueType font (TTF) parsing engine. When the printer processes a specially crafted font file, an integer overflow occurs before a buffer is allocated. This memory corruption can be exploited by an unauthenticated attacker on the same network to execute arbitrary code in the context of the device. Because the printer does not require authentication to process print jobs or network requests, the attack surface is broad.
Canon imageCLASS MF654Cdw printers are widely deployed in small and medium offices, where they handle sensitive documents and are often connected directly to internal networks. An attacker who compromises such a printer could use it as a foothold to pivot to other systems, intercept print jobs, or disrupt operations. The vulnerability is especially dangerous because it requires no user interaction — a malicious print job or network packet is sufficient.
Canon has issued a firmware update to address the flaw. The company's advisory, available on its European product security page, urges all MF654Cdw owners to apply the patch immediately. No workarounds have been published, so updating firmware is the only reliable mitigation. Canon has not reported any active exploitation outside of the Pwn2Own demonstration.
This disclosure follows a pattern of printer vulnerabilities uncovered at Pwn2Own events, where researchers have repeatedly demonstrated that multifunction printers are a weak link in enterprise security. The Canon flaw joins a growing list of printer bugs that allow code execution via document parsing, including previous issues in HP and Brother devices.
Organizations using the affected Canon printer should prioritize patching and consider segmenting printers onto isolated VLANs to limit the blast radius of any future compromise. The vulnerability underscores the importance of treating printers as full-fledged network devices that require regular security updates.