Published:2025/07/07  Last Updated:2025/07/07

JVNVU#93543156
Epson Web Installer for Mac vulnerable to missing authentication for critical function

Overview

Epson Web Installer for Mac provided by SEIKO EPSON CORPORATION contains a missing authentication for critical function vulnerability.

Products Affected

A wide range of products are affected.
As for the details, refer to the information provided by the developer.

Description

Epson Web Installer for Mac provided by SEIKO EPSON CORPORATION is used to install drivers for SEIKO EPSON's products. It contains "helper tool" and launches it in the middle of the execution.
"helper tool" contains the following vulnerability.

  • Missing authentication for critical function (CWE-306)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-4960
    • This is exploitable only while "helper tool" is running.

Impact

If a user is directed to execute a crafted file, arbitrary information may be retrieved and/or altered, or may cause a DoS condition on the Mac system where Epson Web Installer for Mac is runnning.

Solution

"helper tool" has been fixed by the developer on June 23, 2025.

When Epson Web Installer for Mac is executed, the updated version is checked and downloaded if available. Moreover, "helper tool" is automatically deleted after execution.
Therefore, the users do not need to take any action to address the vulnerability.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Carlos Garrido of Pentraze Cybersecurity reported this vulnerability to SEIKO EPSON CORPORATION and coordinated. After the coordination was completed, SEIKO EPSON CORPORATION reported the case to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia