CVE-2025-42598: SEIKO EPSON Printer Driver RCE Flaw

CVE-2025-42598 Overview

CVE-2025-42598 affects multiple SEIKO EPSON printer drivers for Windows when installed or used in a language other than English. The drivers ship with improper access permission settings on driver-related files and directories. An attacker who convinces a user to place a crafted DLL in a location of the attacker's choosing can execute arbitrary code with SYSTEM privileges. The flaw is classified under CWE-276: Incorrect Default Permissions and requires local access with user interaction. Refer to the JVN Security Advisory and the Epson Driver Product List for the full set of affected drivers.

Critical Impact
Successful exploitation grants SYSTEM-level arbitrary code execution on Windows hosts running the vulnerable EPSON printer driver in a non-English locale.

Affected Products

Multiple SEIKO EPSON printer drivers for Windows OS (non-English installations)
Driver versions enumerated in the Epson Driver Product List
Windows systems where the affected driver is installed under a non-English language configuration

Discovery Timeline

2025-04-28 - CVE-2025-42598 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-42598

Vulnerability Analysis

The vulnerability stems from incorrect default permissions applied to printer driver directories and files when the driver is installed or operated in a non-English Windows language environment. Standard users gain write access to locations that are loaded by a process running as SYSTEM. This breaks the trust boundary between unprivileged users and the local Print Spooler service.

The issue maps to CWE-276, Incorrect Default Permissions. Because exploitation requires the attacker to be local and to coerce user interaction (for example, placing or executing a payload), the attack vector is Local rather than network-based. SYSTEM-level code execution allows full host compromise, credential theft, persistence, and lateral movement.

Root Cause

The installer and runtime components apply Discretionary Access Control List (DACL) entries that grant write access to non-administrative users on driver directories. The localized installation flow fails to enforce the restrictive permissions used in the English build. Files in these writable locations are subsequently loaded by privileged driver processes.

Attack Vector

An attacker with local, low-privileged access plants a crafted Dynamic Link Library (DLL) in a writable, attacker-controlled directory that is referenced by the vulnerable EPSON driver. When the privileged driver process loads the planted DLL, the malicious code executes with SYSTEM privileges. The attack pattern aligns with classic DLL search-order hijacking and DLL planting techniques against over-permissive driver paths.

No public proof-of-concept code has been released. Technical details are described in prose only; see the JVN Security Advisory and Epson Security Notification for vendor guidance.

Detection Methods for CVE-2025-42598

Indicators of Compromise

Unexpected DLL files written into EPSON printer driver directories by non-administrative users
Child processes spawned by EPSON driver services or the Print Spooler running as SYSTEM with unusual command lines
Modifications to DACLs on EPSON driver folders that grant write access to standard users or Authenticated Users

Detection Strategies

Audit file creation and modification events (Windows Event ID 4663) on EPSON driver installation paths under C:\Program Files and C:\ProgramData
Hunt for rundll32.exe, spoolsv.exe, or EPSON driver binaries loading DLLs from user-writable locations
Correlate non-admin user write activity to driver paths with subsequent SYSTEM-context process creation (Event ID 4688)

Monitoring Recommendations

Enable Sysmon Event IDs 7 (Image Loaded) and 11 (File Create) with filters covering EPSON driver directories
Forward Print Spooler service logs and process telemetry to a centralized SIEM for correlation
Baseline normal driver DLL load paths and alert on deviations or newly introduced modules

How to Mitigate CVE-2025-42598

Immediate Actions Required

Inventory all Windows endpoints running EPSON printer drivers, prioritizing systems configured in non-English locales
Apply the updated driver provided by Epson per the Epson Security Notification
Restrict local logon and remove unnecessary local user accounts on print servers and shared workstations

Patch Information

SEIKO EPSON has published guidance and updated drivers. Consult the Epson FAQ on Security for the patched driver versions and download locations. Cross-reference your installed products with the Epson Driver Product List before deployment.

Workarounds

Manually tighten DACLs on EPSON driver directories to remove write permissions for non-administrative principals
Restrict driver installation and use to administrators only via Group Policy until patched drivers are deployed
Where feasible, remove unused or legacy EPSON drivers from endpoints to reduce attack surface

bash

# Example: review and restrict permissions on an EPSON driver directory
icacls "C:\Program Files\EPSON\<DriverFolder>"
icacls "C:\Program Files\EPSON\<DriverFolder>" /remove:g "Authenticated Users"
icacls "C:\Program Files\EPSON\<DriverFolder>" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "Users:(OI)(CI)RX"