Pwn2Own Canon Printer Zero-Day CVE-2025-14234 Allows Unauthenticated RCE via Heap Overflow
A heap-based buffer overflow in Canon imageCLASS MF654Cdw printers, disclosed at Pwn2Own, lets network-adjacent attackers execute arbitrary code without authentication via a crafted PJCC request.
A critical vulnerability in Canon imageCLASS MF654Cdw printers, designated CVE- CVE-2025-14234, was publicly disclosed on March 16, 2026, as part of the Pwn2Own hacking contest. The flaw, a heap-based buffer overflow, allows network-adjacent attackers to execute arbitrary code on affected devices without requiring any authentication. The vulnerability resides in the CADM service, which listens on TCP port 9013 by default. An attacker can trigger the overflow by sending a specially crafted font embedded in a PJCC (Printer Job Control Command) request. This enables remote code execution in the context of the printer's firmware, giving the attacker full control over the device.
Canon has released a security update to address CVE-2025-14234. The advisory, published by the Zero Day Initiative as ZDI-26-205, credits Team ANHTUD for discovering the vulnerability. The flaw. The vulnerability was reported to Canon on November 11, 2025, and the coordinated disclosure followed on March 16, 2026.
The CVSS score for this vulnerability is 8.8, with a vector of AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability. The attack vector is adjacent network, meaning the attacker must be on the same local network as the printer to exploit it.
This disclosure at Pwn2Own highlights the ongoing security risks in networked office equipment. Printers often run full operating systems and services that are not regularly patched, making them attractive targets for lateral movement within corporate networks. Canon's update is available through their product security portal, and users are strongly advised to apply it promptly.
This vulnerability is part of a broader trend of critical flaws discovered in printer firmware during Pwn2Own competitions, underscoring the need for manufacturers to prioritize security in embedded devices. The exploit's inclusion in the contest demonstrates its practical impact, and with details now public, attackers may quickly develop working exploits.