CVE-2021-38154

Name of the Vulnerable Software and Affected Versions: Canon devices manufactured in 2012 through 2020, such as imageRUNNER ADVANCE iR-ADV C5250

Description: The issue allows remote attackers to modify an e-mail address setting when Catwalk Server is enabled for HTTP access, causing the device to send sensitive information through e-mail to the attacker. This can include sending an incoming FAX through e-mail to the attacker. The issue occurs when a PIN is not required for General User Mode. There have been real-world incidents where this issue was exploited, specifically in August 2021.

Recommendations: For Canon devices manufactured in 2012 through 2020, consider requiring a PIN for General User Mode to prevent unauthorized access. Additionally, disabling Catwalk Server for HTTP access can mitigate the risk of exploitation until a patch is available. Restricting the modification of e-mail address settings can also help minimize the risk.