Canon imageCLASS MF654Cdw Printer XPS Parser Flaw Allows Remote Code Execution Without Authentication
A stack-based buffer overflow in the Canon imageCLASS MF654Cdw printer's XPS parser, disclosed through Pwn2Own, lets network-adjacent attackers execute arbitrary code without authentication.
A critical vulnerability in the Canon imageCLASS MF654Cdw printer allows network-adjacent attackers to achieve remote code execution without any authentication. The flaw, tracked as CVE-2025-14232 and carrying a CVSS score of 8.8, was discovered and responsibly disclosed by researcher SHIMIZU Yutaro (@shift_crops) of GMO Cybersecurity by Ierae, Inc. during the Pwn2Own hacking contest.
The vulnerability resides in the printer's XPS (XML Paper Specification) file parser. The specific flaw is a stack-based buffer overflow caused by a lack of proper validation of user-supplied data length validation before copying it to a stack-based buffer. An attacker can exploit this by sending a specially crafted XPS file to the affected device, leading to memory corruption that can be leveraged to execute arbitrary code in the context of the printer's firmware.
Because the vulnerability is exploitable over the network without requiring any authentication, any Canon imageCLASS MF654Cdw printer accessible from an adjacent network segment is at risk. This is particularly concerning for office environments where printers are often deployed on shared networks with minimal segmentation. Successful exploitation could allow an attacker to take full control of the printer offline, use it as a pivot point for lateral movement, or exfiltrate sensitive documents stored in the print queue.
Canon has acknowledged the vulnerability and released a security update to address the issue. The company's product security advisory page provides details on obtaining the patch. Users and administrators of the Canon imageCLASS MF654Cdw are strongly urged to apply the update immediately. The disclosure timeline shows the vulnerability was reported to Canon on November 11, 2025, with the coordinated public release occurring on March 16, 2026.
This disclosure is part of a broader trend of printer vulnerabilities being uncovered throughly examined during Pwn2Own competitions. Printers, often overlooked in enterprise security postures, have become a frequent target for researchers due to their complex parsing engines and network exposure. The Canon flaw joins a growing list of printer CVEs that highlight the need for robust patch management and network segmentation for all connected office devices.
While no active exploitation in the wild has been reported at the time of disclosure, the public release of technical details and the high CVSS score make it a prime candidate for threat actors to weaponize. Organizations should prioritize patching this vulnerability and consider restricting access to printer-specific security controls, such as disabling unnecessary services and restricting network access to only authorized print servers.