JVNDB-2025-008145

Epson Web Installer for Mac vulnerable to missing authentication for critical function

Epson Web Installer for Mac provided by SEIKO EPSON CORPORATION contains a missing authentication for critical function vulnerability.
Epson Web Installer for Mac provided by SEIKO EPSON CORPORATION is used to install drivers for SEIKO EPSON's products. It contains "helper tool" and launches it in the middle of the execution.

"helper tool" contains the following vulnerability.

• Missing authentication for critical function (CWE-306) - CVE-2025-4960


• This is exploitable only while "helper tool" is running.

Carlos Garrido of Pentraze Cybersecurity reported this vulnerability to SEIKO EPSON CORPORATION and coordinated. After the coordination was completed, SEIKO EPSON CORPORATION reported the case to JPCERT/CC to notify users of the solution through JVN.

SEIKO EPSON CORPORATION

• (Multiple Products)

A wide range of products are affected. As for the details, refer to the information provided by the developer.

If a user is directed to execute a crafted file, arbitrary information may be retrieved and/or altered, or may cause a DoS condition on the Mac system where Epson Web Installer for Mac is runnning.

"helper tool" has been fixed by the developer on June 23, 2025.

When Epson Web Installer for Mac is executed, the updated version is checked and downloaded if available. Moreover, "helper tool" is automatically deleted after execution.
Therefore, the users do not need to take any action to address the vulnerability.

SEIKO EPSON CORPORATION

• SEIKO EPSON CORPORATION : Security Vulnerability when installing drivers/software using the Mac version of Epson Web Installer and epson.sn (in Japanese)

1. Missing Authentication for Critical Function(CWE-306) [Other]

1. CVE-2025-4960

1. JVN : JVNVU#93543156

• [2025/07/08]
    Web page was published