[Japanese]

JVNDB-2026-019941

Multiple vulnerabilities in Canon EOS Network Setting Tool

Overview

FTP/FTPS/SFTP Communication Testing features of PC Software EOS Network Setting Tool provided by Canon Inc. contain multiple vulnerabilities listed below.
  • Improper validation of SSH host key (CWE-295) - CVE-2026-9258
  • Improper validation of server certificate (CWE-295) - CVE-2026-9259
  • Use of hard-coded cryptographic key (CWE-321) - CVE-2026-9260
  • Use of a vulnerable SSH encryption algorithm (CWE-327) - CVE-2026-9261
  • Default FTP connection settings use an insecure protocol (CWE-1188) - CVE-2026-9262
Canon Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2026-9258

CVSS v3 Severity
Base Metrics:6.5 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact(C): High
  • Integrity Impact(I): None
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-9259

CVSS v3 Severity
Base Metrics:6.2 (Medium) [Other]
  • Access Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact(C): High
  • Integrity Impact(I): None
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-9260

CVSS v3 Severity
Base Metrics:6.8 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact(C): High
  • Integrity Impact(I): High
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-9261

CVSS v3 Severity
Base Metrics:6.5 (Medium) [Other]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact(C): High
  • Integrity Impact(I): None
  • Availability Impact(A): None
The above CVSS base scores have been assigned for CVE-2026-9262
Affected Products


Canon Inc.
  • PC Software EOS Network Setting Tool (For Windows) Versions 1.5.0 and earlier
  • PC Software EOS Network Setting Tool (For macOS) Versions 1.5.0 and earlier

The affected software is included in EOS Utility Versions 3.12.0 through 3.20.20.
Impact

Credentials used for FTP/FTPS/SFTP communication test functions may be obtained.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Canon Inc.
CWE (What is CWE?)

  1. Insecure Default Initialization of Resource(CWE-1188) [Other]
  2. Improper Certificate Validation(CWE-295) [Other]
  3. Use of Hard-coded Cryptographic Key(CWE-321) [Other]
  4. Use of a Broken or Risky Cryptographic Algorithm(CWE-327) [Other]
CVE (What is CVE?)

  1. CVE-2026-9258
  2. CVE-2026-9259
  3. CVE-2026-9260
  4. CVE-2026-9261
  5. CVE-2026-9262
References

  1. JVN : JVNVU#98100934
Revision History

  • [2026/06/17]
      Web page was published

Date Public2026/06/16
Date First Published2026/06/17
Date Last Updated2026/06/17