CVE-2025-14235: Canon Printer Buffer Overflow Vulnerability

CVE-2025-14235 Overview

CVE-2025-14235 is a critical buffer overflow vulnerability affecting XPS font fpgm data processing in Canon Small Office Multifunction Printers and Laser Printers. This vulnerability allows an attacker on the network segment to trigger the affected product to become unresponsive or execute arbitrary code on the vulnerable device.

The vulnerability exists in the handling of XPS (XML Paper Specification) font data, specifically within the fpgm (font program) processing component. When specially crafted XPS font data is processed by vulnerable Canon printers, it can cause a buffer overflow condition that an attacker could leverage to compromise the device.

Critical Impact
Network-accessible attackers can exploit this vulnerability to execute arbitrary code on affected Canon printers or cause denial of service, potentially compromising print infrastructure and gaining a foothold within the network.

Affected Products

Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier (sold in Japan)
Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier (sold in US)
i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier (sold in Europe)

Discovery Timeline

2026-01-16 - CVE-2025-14235 published to NVD
2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-14235

Vulnerability Analysis

This vulnerability is classified as CWE-787 (Out-of-bounds Write), which occurs when the software writes data past the end, or before the beginning, of the intended buffer. In the context of CVE-2025-14235, the buffer overflow occurs during the processing of XPS font fpgm (font program) data.

XPS documents can contain embedded font data, including fpgm instructions that are part of the TrueType font format. The fpgm table contains a program that is executed when a font is first loaded. When vulnerable Canon printers process malformed fpgm data within an XPS document, insufficient bounds checking allows data to be written beyond allocated buffer boundaries.

The vulnerability can be exploited remotely over the network without authentication or user interaction. An attacker positioned on the same network segment as the vulnerable printer can send specially crafted XPS print jobs containing malicious font data to trigger the overflow condition.

Root Cause

The root cause of CVE-2025-14235 is improper validation of XPS font fpgm data size and structure before processing. The firmware fails to properly verify that font program data fits within allocated memory buffers, allowing an out-of-bounds write condition when oversized or malformed fpgm data is encountered. This lack of boundary checking in the font parsing routines enables memory corruption.

Attack Vector

The attack vector for this vulnerability is network-based. An attacker on the same network segment as the vulnerable printer can exploit this vulnerability by:

Crafting a malicious XPS document containing specially designed fpgm font data
Sending the document to the vulnerable printer via standard print protocols (e.g., LPD, IPP, or direct TCP/IP printing)
When the printer processes the XPS document and parses the malicious font data, the buffer overflow occurs
Successful exploitation can result in arbitrary code execution on the printer or denial of service

The vulnerability does not require authentication, and no user interaction is needed beyond the attacker having network access to the printer.

Detection Methods for CVE-2025-14235

Indicators of Compromise

Unexpected printer crashes or restarts, particularly when processing print jobs
Unusual network traffic patterns to/from printer devices on XPS-related ports
Print spooler errors or failed print jobs involving XPS documents
Anomalous behavior from printers such as unexpected configuration changes

Detection Strategies

Monitor network traffic for suspicious XPS document submissions to printers, particularly from unusual source IPs
Implement network segmentation monitoring to detect unauthorized access to printer network segments
Deploy IDS/IPS rules to inspect print protocol traffic for anomalous XPS font data patterns
Audit print server logs for failed or suspicious XPS document processing attempts

Monitoring Recommendations

Establish baseline network behavior for printer devices and alert on deviations
Monitor printer firmware versions across the organization to identify unpatched devices
Implement logging on print servers to capture XPS document processing events
Set up alerts for printer device restarts or unexpected offline status

How to Mitigate CVE-2025-14235

Immediate Actions Required

Update firmware on all affected Canon printers to versions newer than v06.02
Isolate vulnerable printers on a separate network segment with restricted access until patching is complete
Disable XPS printing functionality if not required and the feature can be disabled
Implement firewall rules to restrict network access to printers from untrusted sources

Patch Information

Canon has released security patches to address this vulnerability. Affected organizations should update printer firmware to the latest version available from Canon. For detailed patch information and firmware downloads, refer to the following official Canon advisories:

Workarounds

Implement network segmentation to isolate printers from general network traffic and limit exposure
Configure firewall rules to allow print traffic only from authorized print servers and workstations
Disable direct IP printing and route all print jobs through managed print servers with additional security controls
If XPS printing is not business-critical, consider disabling XPS document processing until firmware updates can be applied

bash

# Example firewall rule to restrict printer access (adjust IPs as needed)
# Allow print traffic only from authorized print server
iptables -A INPUT -p tcp --dport 9100 -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 9100 -j DROP
# Allow IPP only from print server
iptables -A INPUT -p tcp --dport 631 -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 631 -j DROP

CVE-2025-14235 Overview

Critical Impact
Network-accessible attackers can exploit this vulnerability to execute arbitrary code on affected Canon printers or cause denial of service, potentially compromising print infrastructure and gaining a foothold within the network.

Affected Products

Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier (sold in Japan)
Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier (sold in US)
i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier (sold in Europe)

Discovery Timeline

2026-01-16 - CVE-2025-14235 published to NVD
2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-14235

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector for this vulnerability is network-based. An attacker on the same network segment as the vulnerable printer can exploit this vulnerability by:

Crafting a malicious XPS document containing specially designed fpgm font data
Sending the document to the vulnerable printer via standard print protocols (e.g., LPD, IPP, or direct TCP/IP printing)
When the printer processes the XPS document and parses the malicious font data, the buffer overflow occurs
Successful exploitation can result in arbitrary code execution on the printer or denial of service

The vulnerability does not require authentication, and no user interaction is needed beyond the attacker having network access to the printer.

Detection Methods for CVE-2025-14235

Indicators of Compromise

Unexpected printer crashes or restarts, particularly when processing print jobs
Unusual network traffic patterns to/from printer devices on XPS-related ports
Print spooler errors or failed print jobs involving XPS documents
Anomalous behavior from printers such as unexpected configuration changes

Detection Strategies

Monitor network traffic for suspicious XPS document submissions to printers, particularly from unusual source IPs
Implement network segmentation monitoring to detect unauthorized access to printer network segments
Deploy IDS/IPS rules to inspect print protocol traffic for anomalous XPS font data patterns
Audit print server logs for failed or suspicious XPS document processing attempts

Monitoring Recommendations

Establish baseline network behavior for printer devices and alert on deviations
Monitor printer firmware versions across the organization to identify unpatched devices
Implement logging on print servers to capture XPS document processing events
Set up alerts for printer device restarts or unexpected offline status

How to Mitigate CVE-2025-14235

Immediate Actions Required

Update firmware on all affected Canon printers to versions newer than v06.02
Isolate vulnerable printers on a separate network segment with restricted access until patching is complete
Disable XPS printing functionality if not required and the feature can be disabled
Implement firewall rules to restrict network access to printers from untrusted sources

Patch Information

Workarounds

Implement network segmentation to isolate printers from general network traffic and limit exposure
Configure firewall rules to allow print traffic only from authorized print servers and workstations
Disable direct IP printing and route all print jobs through managed print servers with additional security controls
If XPS printing is not business-critical, consider disabling XPS document processing until firmware updates can be applied

bash

# Example firewall rule to restrict printer access (adjust IPs as needed)
# Allow print traffic only from authorized print server
iptables -A INPUT -p tcp --dport 9100 -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 9100 -j DROP
# Allow IPP only from print server
iptables -A INPUT -p tcp --dport 631 -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 631 -j DROP

CVE-2025-14235: Canon Printer Buffer Overflow Vulnerability

CVE-2025-14235 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-14235

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-14235

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-14235

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-14235: Canon Printer Buffer Overflow Vulnerability

CVE-2025-14235 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-14235

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-14235

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-14235

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform