CVE-2025-42598 - How EPSON Printer Drivers for Windows Can Lead to SYSTEM Privilege Escalation

---

Summary

A newly discovered vulnerability—CVE-2025-42598—has drawn attention to SEIKO EPSON printers. If you have installed EPSON printer drivers on a Windows computer, especially with a language setting other than English, this affects you. This flaw allows an attacker to place a malicious DLL file where the driver looks for it, resulting in arbitrary code execution with SYSTEM privilege. In simple words: An attacker can take control of your PC, with the highest level of privileges.

In this article, we’ll break down what this means, how the exploit works, and what you can do to protect yourself.

What’s the Problem?

Thanks to improperly set permissions, certain folders and files associated with EPSON printer drivers are not secure if Windows is set to a non-English language (such as German, French, Spanish, Japanese, etc). This means a normal user—or malware—can drop a custom DLL file into these folders.

If the EPSON driver loads that DLL (thinking it’s a legitimate part of Windows or the driver), it runs with SYSTEM privileges. That’s as high as it gets on Windows.

> Official Advisory:
> NVD - CVE-2025-42598
> (Links will be updated as vendors post more details.)

The cluster of vulnerable EPSON drivers install files to directories, such as

C:\Program Files\EPSON\...
C:\Windows\System32\spool\drivers\x64\3\

If your Windows is in a non-English language, these folders may have looser access permissions.

The exploit path

1. Attacker convinces local user to write a malicious DLL to one of these vulnerable folders (could even use malware to do it).

The EPSON driver or its associated services, running as SYSTEM, load the DLL.

3. The malicious code inside the DLL is executed as SYSTEM, giving an attacker full control over the computer.

The risky DLL loading often happens during startup, printer operations, or when opening the EPSON settings utility.

Example: Proof of Concept (PoC) Exploit

Here's a simple PoC to demonstrate exploitability. Do NOT run this on a production system.

Malicious DLL code (C++)

// dllmain.cpp : Defines the entry point for the DLL application.
#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
    switch (fdwReason) {
        case DLL_PROCESS_ATTACH:
            MessageBoxA(NULL, "Exploit DLL executed with SYSTEM privilege!", "Exploit", MB_OK);
            // Insert payload here (e.g. create user, reverse shell, etc.)
            break;
    }
    return TRUE;
}

Restart the spooler service (net stop spooler && net start spooler) or reboot.

4. Driver/service loads the DLL and displays SYSTEM-privilege message box.

Why Only Non-English Windows?

The installer logic for EPSON’s drivers is language-dependent. For non-English languages, the directories may be created with "Everyone: Full Control" or similarly dangerous settings instead of restricting them to administrators or SYSTEM. This problem relates to how the Windows Installer language transforms folder and file permissions during package installation.

How To Protect Yourself

1. Update Your Drivers: EPSON is expected to release new drivers sealing the permissions holes. Always download the latest drivers from official EPSON support.

Check Folder Permissions:

Right-click on the driver folders, go to "Properties" > "Security". Remove "Everyone" write permission if present.
3. Restrict Access: Only administrators and SYSTEM should have write permissions to the driver directories.
4. Monitor for Suspicious DLLs: If any non-EPSON DLLs appear in driver folders, investigate immediately.
5. Apply Windows Updates: Security updates may help prevent attackers from leveraging SYSTEM privilege.

Developer Tip: How to List Insecure Folders

You can run this PowerShell command to quickly check for writable directories in the print driver folders:

Get-Acl "C:\Windows\System32\spool\drivers\x64\3" | Format-List

Look for entries like Everyone with WriteData or FullControl. Remove these permissions.

References & Further Reading

- EPSON Security Advisory (Pending)
- NIST NVD - CVE-2025-42598
- DLL Hijacking & Printer Vulnerabilities - Writeup
- Windows Print Spooler Vulnerabilities (CISA)

Conclusion

CVE-2025-42598 is a stark reminder that even "regular" software like printer drivers can pose huge risks. If you use EPSON printers on a non-English Windows, check for and apply driver updates as soon as possible. Protect your system by correcting folder permissions and monitoring for unusual files. Stay safe and keep your software up to date!

Timeline

Published on: 04/28/2025 09:15:21 UTC
Last modified on: 04/29/2025 13:52:10 UTC