Discovery
During a recent network security assessment, we were working on an environment that was well-hardened – Patching was current, password policies were strong, and network segmentation was in place. So, as part of our enumeration of all network assets, we started looking for default credentials and this led us to multiple Canon enterprise printers configured with default administrator credentials.
Enterprise printers are an interesting attack surface because it is common practice to have them configured with domain credentials. So, with administrative access, we tried to execute auth-back attacks by modifying the printer’s configuration to point to our server for credential capture or relay. However, network segmentation controls blocked this attack, as outbound controls prevented traffic from reaching our attacker-controlled subnet.
We needed a different approach. We turned our attention to how the printer handled stored credentials. Specifically, we were curious to look at what happened to them during export. While exploring the printer’s administrative interface, we found a configuration export feature that allows administrators to back up device settings. This immediately raised a question: how were stored credentials being protected during export? Canon’s documentation states that exporting sensitive data requires encryption and the web interface presents encryption options (Security Level 1 and 2) that appear mandatory. However, we quickly discovered that these controls are implemented client-side without server-side validation.
Vulnerability
Canon imageRUNNER ADVANCE DX printers provide a configuration export feature that is accessible through the web management interface. The web UI appears to enforce encryption by requiring a user-supplied password before export. An attacker with administrative access could supply their own password but that only produces an encrypted file. Without knowledge of Canon’s proprietary encryption scheme, the file remains opaque even to the person who set the password, making decryption a non-trivial reverse engineering problem. The actual enforcement, however, relies entirely on a client-side parameter in the HTTP POST request. By modifying this parameter from encrypted to plaintext, the server accepts the request without validation and returns the complete configuration file in plaintext including all stored credentials.
While successful exploitation of this vulnerability requires administrative access, the prevalence of default credentials on these devices means exploitation is often trivial. This matters because enterprise printers store credentials for accessing network resources which is exactly what an attacker needs for lateral movement.
Note on reproduction details: At Canon’s request, we have omitted detailed reproduction steps from this publication. Canon is currently assessing whether additional product lines are affected, and full technical details will be shared once that scoping is complete and patches are broadly available.
Impact
During our assessment, this vulnerability enabled us to:
- Extract domain service account credentials in plaintext
- Leverage extracted credentials to circumvent network segmentation controls that had previously blocked our attack path
- Move laterally to other critical systems and escalate privileges
- Achieve complete domain compromise from a printer with default credentials
Canon has confirmed that the vulnerability affects over 200 printer models beyond the one originally reported. Please refer to Canon’s advisory for detailed information.
The Broader Lesson: The Security Blindspot
This vulnerability points to a gap that keeps showing up: network devices managed outside traditional security processes
Printers, VoIP systems, and other IoT devices often fall into organizational silos. The security best practices applied to servers and workstations don’t extend uniformly to these devices. As a result you get default credentials in production, missing security patches, overly permissive service accounts, and configurations prioritizing convenience over security. These devices are treated as relatively low risk assets that don’t warrant the same scrutiny as critical infrastructure.
But from an attacker’s perspective, they’re ideal targets. They have network access, store credentials for other systems, and run exploitable services. And they’re frequently overlooked in security assessments, creating persistent vulnerabilities even as the rest of the infrastructure hardens.
Remediation Recommendations
Organizations using Canon printers should:
- Review Canon’s security advisory to identify affected models in your fleet and apply available firmware updates
- Immediately change default credentials on all devices to strong, unique passwords
- Review and rotate credentials stored in printer address books, SMB configurations, and email settings
- Audit all network devices for default credentials
- Restrict network access to printer management interfaces
Disclosure Timeline
- January 11, 2026 – Praetorian submitted the report to Canon PSIRT
- January 12, 2026 – Canon confirmed receipt of the report
- February 8, 2026 – Canon confirmed the vulnerability
- April 9, 2026 – Canon confirmed the publication date for the security advisory and reserved CVE-2026-1789
- April 23, 2026 – Security advisory published
