CVE-2025-14237 is a buffer overflow vulnerability classified under CWE-787 that exists in the XPS font parsing functionality of Canon's Small Office Multifunction Printers and Laser Printers, specifically the Satera LBP670C Series and multiple other related models across different regional brands (Color imageCLASS, i-SENSYS, imageRUNNER). The flaw resides in the way the printer firmware (version 06.02 and earlier) processes XPS font data, allowing an attacker on the same network segment to send specially crafted print jobs that trigger an out-of-bounds write. This can lead to memory corruption, causing the device to crash or enabling the execution of arbitrary code with no authentication or user interaction required. The vulnerability affects a broad range of devices sold in Japan, the US, and Europe, indicating a wide attack surface. The CVSS 4.0 base score of 9.3 highlights the critical nature of this issue, with network attack vector, low attack complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. While no public exploits are currently known, the vulnerability's characteristics make it a prime candidate for future exploitation, especially in environments where these printers are accessible on internal networks. The lack of available patches at the time of disclosure increases the urgency for interim mitigations.

The exploitation of CVE-2025-14237 can have severe consequences for organizations worldwide. Attackers can remotely crash affected printers, causing denial of service and disrupting business operations reliant on printing and scanning functions. More critically, arbitrary code execution could allow attackers to take control of the printer, potentially using it as a foothold to pivot into internal networks, exfiltrate sensitive documents, or launch further attacks. Given that these printers often handle confidential documents, the compromise could lead to data leakage or manipulation. The vulnerability's network-based exploitation without authentication means that attackers only need access to the same network segment, which could be achieved via compromised devices or insider threats. Organizations with large deployments of Canon multifunction printers in office environments, especially those in regulated industries or with sensitive data, face heightened risk. The broad geographic distribution of affected models also means multinational organizations must consider global exposure. The inability to patch immediately may prolong the window of vulnerability, increasing the risk of exploitation.

To mitigate CVE-2025-14237, organizations should first check for and apply any firmware updates released by Canon addressing this vulnerability as soon as they become available. Until patches are deployed, network segmentation should be enforced to isolate affected printers from general user networks and restrict access to trusted devices only. Implement strict access controls and monitor network traffic for unusual print job submissions or malformed XPS font data packets. Disable unnecessary network protocols and services on the printers to reduce the attack surface. Employ network intrusion detection systems (NIDS) tuned to detect anomalous traffic patterns targeting printer ports and protocols. Regularly audit printer firmware versions and configurations to ensure compliance with security policies. Additionally, consider replacing end-of-life or unsupported printer models that cannot be patched. Educate IT staff about the risks of printer vulnerabilities and establish incident response plans specifically for printer-related security incidents.