JVNVU#93543156
Epson Web Installer for Mac vulnerable to missing authentication for critical function
Overview
Epson Web Installer for Mac provided by SEIKO EPSON CORPORATION contains a missing authentication for critical function vulnerability.
Products Affected
A wide range of products are affected.
As for the details, refer to the information provided by the developer.
Description
Epson Web Installer for Mac provided by SEIKO EPSON CORPORATION is used to install drivers for SEIKO EPSON's products. It contains "helper tool" and launches it in the middle of the execution.
"helper tool" contains the following vulnerability.
- Missing authentication for critical function (CWE-306)
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
- CVE-2025-4960
- This is exploitable only while "helper tool" is running.
Impact
If a user is directed to execute a crafted file, arbitrary information may be retrieved and/or altered, or may cause a DoS condition on the Mac system where Epson Web Installer for Mac is runnning.
Solution
"helper tool" has been fixed by the developer on June 23, 2025.
When Epson Web Installer for Mac is executed, the updated version is checked and downloaded if available. Moreover, "helper tool" is automatically deleted after execution.
Therefore, the users do not need to take any action to address the vulnerability.
Vendor Status
| Vendor | Link |
| SEIKO EPSON CORPORATION | Security Vulnerability when installing drivers/software using the Mac version of Epson Web Installer and epson.sn (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Carlos Garrido of Pentraze Cybersecurity reported this vulnerability to SEIKO EPSON CORPORATION and coordinated. After the coordination was completed, SEIKO EPSON CORPORATION reported the case to JPCERT/CC to notify users of the solution through JVN.