Canon imageCLASS MF654Cdw Printer Flaw Exploited at Pwn2Own Gets Emergency Patch
Canon has released a security update for a critical heap-based buffer overflow in the imageCLASS MF654Cdw printer that was demonstrated at Pwn2Own Berlin 2026, allowing unauthenticated network-adjacent attackers to achieve remote code execution.
Canon has issued an emergency security update for its imageCLASS MF654Cdw printer after researchers demonstrated a critical remote code execution vulnerability at the Pwn2Own Berlin 2026 hacking contest. The flaw, tracked as CVE-2025-14231 and assigned a CVSS score of 8.8, allows unauthenticated attackers on the same network segment to take full control of the device without any user interaction.
The vulnerability resides in the printer's SOAP request parsing mechanism. According to the advisory published by the Zero Day Initiative (ZDI-26-203), the bug is a heap-based buffer overflow in a fixed-length heap-based buffer. When the printer processes a specially crafted XML SOAP request, it fails to properly validate the length of user-supplied data before copying it into memory, enabling an attacker to overwrite adjacent heap structures and hijack execution flow.
The flaw was discovered and responsibly disclosed by a team of researchers from STAR Labs SG Pte. Ltd., including Nguyễn Hoàng Thạch, Gerrard Tai, Cherie-Anne Lee, Tan Ze Jian, and Lin Ze Wei. The team demonstrated the exploit live at Pwn2Own Berlin 2026, where participants collectively earned $1.3 million for 47 zero-day vulnerabilities across enterprise and AI products.
Canon has released a firmware update to address the vulnerability. The company's European support portal provides instructions for obtaining the patch. Users of the imageCLASS MF654Cdw are strongly advised to apply the update immediately, as the vulnerability requires no authentication and can be triggered by any device within network proximity.
The Canon imageCLASS MF654Cdw is a popular color laser multifunction printer commonly deployed in small and medium-sized offices. Its network-adjacent attack vector means that any device connected to the same local network as the printer could be used to launch an exploit, making internal network segmentation a critical mitigation until patches are applied.
This disclosure follows a broader trend of increasing scrutiny on printer and IoT device security. Printers have historically been overlooked in enterprise patch management, yet they often run full operating systems and expose complex network services. The Pwn2Own demonstration underscores how such devices can serve as entry points for lateral movement within corporate networks.
Canon has not disclosed whether the vulnerability has been exploited in the wild beyond the Pwn2Own demonstration. However, given the public availability of exploit techniques shown at the contest, security researchers expect proof-of-concept code to emerge quickly, raising the urgency for organizations to patch affected devices without delay.