[Japanese]

JVNDB-2025-004079

Improper access permission settings in multiple SEIKO EPSON printer drivers for Windows OS

Overview

Multiple SEIKO EPSON printer drivers for Windows OS are configured with an improper access permission settings when installed or used in a language other than English.

* Incorrect default permissions (CWE-276) - CVE-2025-42598

Private security researcher Erkan Ekici reported this vulnerability to the developer and coordinated. The developer and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


SEIKO EPSON CORPORATION
  • (Multiple Products)

A wide range of printer driver are affected. For more information, please refer to the information under "Vendor Status".
Impact

An attacker may execute arbitrary code with SYSTEM privilege on a Windows system on which the printer driver is installed.

It is assumed that a user is directed to place a crafted DLL file in a location of the attacker's choosing.
Solution

[Apply the countermeasure tool]
Based on the information provided by the developer, run the Epson Software Updater, download and install the Security vulnerability patch, download and install the Epson Printer Driver Security Support Tool, etc.
Vendor Information

SEIKO EPSON CORPORATION
CWE (What is CWE?)

  1. Incorrect Default Permissions(CWE-276) [Other]
CVE (What is CVE?)

  1. CVE-2025-42598
References

  1. JVN : JVNVU#90649144
Revision History

  • [2025/04/30]
      Web page was published

Date Public2025/04/28
Date First Published2025/04/30
Date Last Updated2025/04/30