cbcvebase.
CVE-2021-38154
published 2021-08-29

CVE-2021-38154: Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow…

PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.00%
89.2th percentile
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.

Detection & IOCsextracted from sources · hover to see the quote

url/tryLogin.cgi
url/checkLogin.cgi
cookiefusion-http-session-id=
cookiesessid=
commandloginM=&0000=0011&0002=
commandi0017=2&i0019=
path/portal_top.html
  • Shodan query 'title:"imageRUNNER"' can be used to identify exposed Canon imageRUNNER devices with Catwalk Server enabled for HTTP access.
  • Exploit attempt via POST to /tryLogin.cgi with body 'loginM=&0000=0011&0002=' should return HTTP 303 redirect to /portal_top.html and set a 'fusion-http-session-id' cookie, indicating successful unauthenticated login.
  • Exploit attempt via POST to /checkLogin.cgi with body 'i0017=2&i0019=' should return HTTP 302 redirect to /portal_top.html and set a 'sessid' cookie, indicating successful unauthenticated login via the alternate login path.
  • Vulnerability is exploitable only when Catwalk Server is enabled for HTTP access and no PIN is configured for General User Mode on Canon devices manufactured 2012–2020.
  • ·The vulnerability is only exploitable when no PIN is set for General User Mode. Devices with a PIN configured are not affected by this unauthenticated bypass.
  • ·Catwalk Server must be explicitly enabled for HTTP access for the attack surface to be present; devices with Catwalk Server disabled or restricted to HTTPS only may not be vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.