Microsoft’s Offensive Research and Security Engineering (MORSE) team has discovered a critical security vulnerability in Canon printer drivers that poses a significant threat to enterprise and consumer systems. The flaw, assigned CVE-2025-1268 with a severe CVSS score of 9.4, affects a wide range of Canon printing devices, including industrial printers, office multifunction devices, and laser printers.
Technical Analysis of the Vulnerability
The vulnerability stems from an out-of-bounds memory handling issue in EMF conversion processes across multiple Canon driver families. Affected drivers include Generic Plus PCL6, UFR II, LIPS4, LIPSXL, and PS versions 3.12 and earlier. This memory boundary violation creates a critical attack surface that could potentially allow unauthorized code execution with elevated privileges.
Two Attack Scenarios: Print Disruption and Arbitrary Code Execution
Security researchers have identified two primary attack scenarios that threat actors could exploit. The first involves disrupting printing operations, which could severely impact organizations relying on continuous printing capabilities. More critically, the second scenario enables arbitrary code execution during print processing, potentially leading to complete system compromise.
BYOVD Attack Implications
Of particular concern is the vulnerability’s potential exploitation through bring-your-own-vulnerable-driver (BYOVD) attacks. This sophisticated attack method allows malicious actors to leverage vulnerable drivers to bypass security controls and gain privileged system access, effectively circumventing modern security architectures.
Mitigation Strategies and Security Recommendations
Vendor remediation details and affected driver families are summarized in ThaiCERT’s advisory coverage of Canon’s remediation notice. Priority actions:
- Update all Canon printer drivers to versions newer than 3.12 using the latest vendor-provided packages referenced in the ThaiCERT summary of Canon’s fix guidance.
- Apply Windows Defender Application Control (WDAC) or AppLocker policies to block loading of unsigned or version-constrained drivers.
- For environments where BYOVD is a concern: enable Hypervisor-Protected Code Integrity (HVCI) — this blocks loading of known-vulnerable drivers at the kernel level.
