How is CVE-2026-9258 exploited?

Network reachability (required): The attacker must be positioned on the network path between the victim's host and the SSH server to intercept and manipulate the connection. Authentication (not-required): No credentials or account are required; the attacker needs only a suitable network position. Victim interaction (required): The victim must initiate an SSH-based action through the Canon EOS Network Setting Tool, such as connecting to or transferring files with a remote host. Attack complexity (info): The exploit is reliable and imposes no additional environmental conditions beyond the attacker's network position; no race conditions or special memory layout are required.

What is the impact of CVE-2026-9258?

An attacker intercepts SSH session traffic and reads confidential data exchanged between the Canon EOS Network Setting Tool and the remote SSH server, such as camera configuration data, credentials passed over the session, or transferred files. Because host key validation is bypassed, the attacker can silently impersonate the target SSH server for the duration of any session the victim initiates. Integrity of data in transit and the identity of the remote server cannot be confirmed by the client, leaving every tool-initiated SSH session open to passive surveillance for the session's lifetime.

Back to search

HIGHCVE-2026-9258Published 2026-06-15Modified 2026-06-15CNA Canon

CVE-2026-9258: Improper validation of SSH host keys in Canon EOS Network Setting Tool Version 1

Improper validation of SSH host keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

This is an SSH host key validation bypass (a man-in-the-middle attack enabler) in Canon EOS Network Setting Tool version 1.5.0 and earlier, for both Windows and macOS. The tool can be reached over the network without any authentication, but requires the victim to take an action, such as initiating a file transfer or connection through the tool. Successful exploitation allows an attacker positioned between the victim and the SSH server to read confidential data the tool exchanges over what the user believes is a secure channel. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Canon publishes a fix version.

HarborGuard Coverage

Detection

Detection for CVE-2026-9258 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the Canon EOS Network Setting Tool.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the published CVSS v4.0 vector and weights findings against each customer environment's compliance policy, routing confirmed matches to the appropriate team inbox within that organization.

Available

Patch

Because Canon has not yet published a fix version, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be positioned on the network path between the victim's host and the SSH server to intercept and manipulate the connection.
AuthenticationNot required
No credentials or account are required; the attacker needs only a suitable network position.
Victim interactionRequired
The victim must initiate an SSH-based action through the Canon EOS Network Setting Tool, such as connecting to or transferring files with a remote host.
Attack complexityDetail
The exploit is reliable and imposes no additional environmental conditions beyond the attacker's network position; no race conditions or special memory layout are required.

Blast Radius

An attacker intercepts SSH session traffic and reads confidential data exchanged between the Canon EOS Network Setting Tool and the remote SSH server, such as camera configuration data, credentials passed over the session, or transferred files.
Because host key validation is bypassed, the attacker can silently impersonate the target SSH server for the duration of any session the victim initiates.
Integrity of data in transit and the identity of the remote server cannot be confirmed by the client, leaving every tool-initiated SSH session open to passive surveillance for the session's lifetime.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer images that include the Canon EOS Network Setting Tool, with no manual configuration required. Because no fix version has been published by Canon as of the CVE record date, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once an upstream fix appears. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation that restricts which hosts the tool is permitted to reach over SSH, egress filtering to limit SSH destinations to known-good server IP ranges, and avoiding use of the tool over untrusted networks such as public Wi-Fi or shared VPN segments until a vendor patch is available.

See how HarborGuard automates this

Affected packages

Canon Inc. / EOS Network Setting Tool for Windows
1.5.0 or earlier
Canon Inc. / EOS Network Setting Tool for macOS
1.5.0 or earlier

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified