Keypoint Intelligence’s Cybersecurity page
Recent security disclosures have highlighted serious vulnerabilities in Canon and Xerox printers. These flaws range from buffer overflow bugs in Canon devices to credential theft issues in Xerox VersaLink multifunction printers. In worst-case scenarios, an attacker could execute malicious code on an unsecured printer or capture sensitive network credentials—potentially leading to a wider network compromise. Below, we break down the vulnerabilities affecting each vendor, the products and software impacted, their severity and risks, what fixes the manufacturers have released, as well as how customers can protect their printer environments.
Canon Printer Vulnerability
Canon revealed that multiple buffer overflow vulnerabilities exist in a range of Canon laser printers and small office multifunction printers. If one of these devices is exposed directly to the Internet (without a firewall or router isolation), an unauthenticated remote attacker could exploit the buffer overflows to execute arbitrary code on the device or cause a Denial-of-Service (DoS), crashing the printer. Canon assigned three common vulnerabilities and exposures (CVE) IDs (CVE-2024-12647, CVE-2024-12648, CVE-2024-12649) to these firmware issues, underlining the severity of the threat. (CVE refers to a publicly accessible database that lists and catalogs known security vulnerabilities in software and hardware, assigning each a unique ID for easier sharing, prioritization, and protection.)
The vulnerable models include numerous devices in the imageCLASS series, such as the MF450/460 series and MF650 series, as well as imageCLASS LBP series laser printers. These models (and potentially others) running older firmware are susceptible to the buffer overflow attacks. Canon’s advisory indicates these are critical vulnerabilities, as evidenced by the potential for remote code execution and the possibility that an Internet-based attacker could take control of the printer without any credentials. The primary risk is that an attacker could leverage an unprotected Canon device as an entry point—running malicious code on the printer, stealing information it processes, or using it to pivot deeper into the network.
Canon acknowledged these vulnerabilities and provided mitigations and fixes. The company strongly urged customers to immediately isolate at-risk printers from direct Internet access (for example, by assigning a private IP address and placing the device behind a firewall or secure router). This network configuration prevents outside attackers from reaching the printer directly. Moreover, Canon has made updated firmware available for the affected models to remediate the buffer overflow issues, and it advises all users to install the latest firmware as soon as possible. Firmware downloads addressing these CVEs were released through Canon’s regional support websites and users can update the printers via the built-in firmware update function or manually.
Canon Print Driver Vulnerability
Separately, a critical vulnerability in Canon’s printer drivers was recently reported. Microsoft’s Offensive Research and Security Engineering (MORSE) team discovered an out-of-bounds write flaw in the drivers used by various Canon printers. This vulnerability, tracked as CVE-2025-1268, affects the Generic Plus printer drivers for PCL6, UFR II, LIPS, LIPSXL, and PostScript drivers (version 3.12 and earlier). Essentially, the driver’s Enhanced Metafile (EMF) recode processing function did not properly handle certain data, which could lead to memory corruption. Because the flaw is in the driver software (not the printer firmware), it potentially affects a broad range of Canon printer models that rely on these drivers for printing.
This is considered a high-severity vulnerability because an attacker could exploit it to execute arbitrary code on a system via a malicious print job. According to Canon, if a crafted or malicious application sends a print job that triggers this driver bug, it could not only prevent the document from printing but also allow the attacker to run code with the privileges of the driver. This could lead to a compromise of the PC hosting the printer driver, effectively turning a printing operation into a cyber-attack vector
Canon moved quickly to address the driver flaw. Canon's Product Security Incident Response Team (PSIRT) issued an advisory and released patched driver versions that fix the out-of-bounds error. Users are advised to download and install the updated drivers from Canon’s official support websites or through their Canon sales representatives. By late March 2025, updated Generic Plus drivers were made available globally.
Xerox VersaLink Printer Vulnerabilities
Xerox has also released fixes for serious vulnerabilities in its VersaLink series of enterprise multifunction printers. Research by Rapid7 (as reported by SecurityWeek) uncovered that certain VersaLink models were susceptible to “pass-back” attacks, which could allow an attacker to steal Windows Active Directory credentials by abusing the printer’s authentication workflows. Two specific CVEs have been assigned: CVE-2024-12510 and CVE-2024-12511.
Rapid7 discovered that a malicious actor with access to a Xerox VersaLink printer’s configuration could manipulate it to expose stored credentials. In the case of CVE-2024-12510, the target is the LDAP authentication configuration on the printer. According to the Rapid7 report, If an attacker (having gained admin access to the printer’s web interface or console) changes the LDAP server address to point to a fake server and then triggers an LDAP lookup, the printer would send the LDAP bind credentials to the attacker’s server in clear text—effectively handing over the LDAP username and password.
The second flaw (CVE-2024-12511) involves the printer’s address book for Scan-to-SMB/FTP features—functionality that Keypoint Intelligence recommend be turned off when configuring any MFP. Here, an attacker can modify the address book entries—specifically the destination server IP for an SMB or FTP file scan—to an attacker-controlled machine. When the printer tries to perform the scan or file upload, it will attempt to authenticate to the malicious SMB/FTP server, allowing the attacker to capture the hashed Windows credentials (NetNTLMv2 handshake) or FTP password that the printer uses. The attacker might then crack the hash or reuse it in an SMB relay attack to impersonate the user on the network. In both cases, the vulnerabilities essentially turn the printer into an unwitting credential phishing tool on the internal network.
The issues were found in Xerox VersaLink C7020, C7025, and C7030 series multifunction printers running firmware version 57.69.91 and earlier. It’s important to note that exploiting these flaws requires a degree of access, as the attacker would need to already have administrator-level access to the printer’s management interface (or physical access to the control panel) to change settings. This means the attack is likely to be launched by an insider or after compromising the printer’s admin credentials. However, the impact of a successful exploit is severe: The attacker can obtain valid Active Directory credentials, which could then be used to move laterally through the organization’s network and compromise other systems (potentially domain controllers or file servers).
Xerox was notified of these issues in 2024 and developed a fix in the form of a firmware update by the end of January 2025. Xerox also provided interim mitigation advice to help protect devices that cannot be immediately patched. Administrators are advised to use strong, complex passwords for the printer’s admin account (good advice for any MFP), which reduces the chance of an attacker easily gaining admin access to the web console. Xerox further recommends avoiding the use of highly privileged domain accounts in the printer’s configurations. For instance, the account used for LDAP binding or SMB scanning on the printer should be a service account with limited permissions, not an administrator of the domain.
Keypoint Intelligence Opinion
The vulnerabilities in Canon and Xerox printers serve as a reminder that printers must be treated as critical IT assets when it comes to security. Businesses often overlook printers in their cybersecurity strategy but, as shown above, a printer can become an entry point for hackers—whether to run malware (in Canon’s case) or to exfiltrate credentials (in Xerox’s case). It is, therefore, vital to proactively secure these devices and keep up to date on the manufacturer’s updates.
Stay ahead in the ever-evolving print industry by browsing our Industry Reports page for the latest insights. Log in to the InfoCenter to view research and studies on workflow and print automation solutions through our Production Workflow Advisory Service. Log in to bliQ for product-level research, reports, and specs. Not a subscriber? Contact us for more information.