Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks
5 min. read 
Published on
Canon Marketing Japan has disclosed a critical vulnerability in GUARDIANWALL MailSuite that can let remote attackers execute arbitrary code on affected systems.
The flaw, tracked as CVE-2026-32661 and JVN#35567473, affects GUARDIANWALL MailSuite on-premises versions 1.4.00 through 2.4.26. JPCERT/CC says attacks exploiting the vulnerability have already been observed against on-premises deployments.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issue affects the product’s web service when the system runs the pop3wallpasswd command with grdnwww user privileges. Administrators should apply Canon’s patch immediately or restrict the management interface until they can complete remediation.
What is the Canon MailSuite vulnerability?
The vulnerability comes from a stack-based buffer overflow in the pop3wallpasswd command inside GUARDIANWALL MailSuite. A buffer overflow happens when software writes more data to memory than the allocated space can safely hold.
An attacker can send a specially crafted request to the affected product’s web service. If the system uses the vulnerable configuration, the request can trigger memory corruption and allow arbitrary code execution.
JVN rates the flaw as critical with a CVSS v3.0 score of 9.8. The advisory also lists a CVSS v4.0 score of 9.3, which still places the issue in the critical range.
| Item | Details |
|---|---|
| Vulnerability ID | CVE-2026-32661, JVN#35567473 |
| Product | GUARDIANWALL MailSuite |
| Vendor | Canon Marketing Japan Inc. |
| Vulnerability type | Stack-based buffer overflow |
| Affected command | pop3wallpasswd |
| Impact | Remote arbitrary code execution |
| Severity | Critical |
Affected Canon GUARDIANWALL versions
The affected on-premises versions include GUARDIANWALL MailSuite Ver. 1.4.00 through Ver. 2.4.26. Canon says versions earlier than 1.4.00 do not face this specific issue.
Legacy GUARDIANWALL versions 7.x and 8.x also do not fall under this advisory. However, administrators should still check their support status and review other product-specific security guidance.
GUARDIANWALL Mail Security Cloud, the SaaS version, also had exposure before Canon’s April 30, 2026 maintenance. Canon says that cloud service received remediation during that maintenance window.
| Product or version | Status |
|---|---|
| GUARDIANWALL MailSuite Ver. 1.4.00 to Ver. 2.4.26 | Affected |
| GUARDIANWALL MailSuite earlier than Ver. 1.4.00 | Not affected by this flaw |
| Legacy GUARDIANWALL Ver. 7.x and 8.x | Not affected by this flaw |
| GUARDIANWALL Mail Security Cloud before April 30, 2026 maintenance | Previously affected |
| GUARDIANWALL Mail Security Cloud after April 30, 2026 maintenance | Fixed |
Why CVE-2026-32661 is dangerous
Email security gateways sit close to sensitive corporate communication. A remote code execution flaw in this layer can create serious risk for organizations that expose administrative services or run vulnerable configurations.
JPCERT/CC says attackers can exploit the vulnerability without authentication by sending a crafted request to the product’s web service. That makes patching urgent for any exposed deployment.
The risk becomes higher because exploitation has already been observed in the wild against GUARDIANWALL MailSuite on-premises systems. Security teams should treat affected environments as high-priority assets and investigate for possible compromise.
How attackers can exploit the flaw
The vulnerable condition exists when the product can run pop3wallpasswd with grdnwww user privileges. In that setup, a malicious request to the web service can trigger the buffer overflow.
Successful exploitation can let attackers execute code in the affected service context. From there, attackers may attempt further movement, data access, or persistence depending on the server’s exposure and internal controls.
Canon says attackers cannot exploit the flaw remotely if the affected product’s management interface does not face external networks. The company also says IP-based access restrictions can reduce risk when immediate patching cannot happen.
- Review whether GUARDIANWALL MailSuite runs an affected version.
- Check whether the management interface faces external networks.
- Restrict access to trusted IP addresses where possible.
- Preserve logs for investigation if the service had exposure.
- Apply Canon’s remediation patch as soon as possible.
Patch and mitigation steps for administrators
Canon has provided remediation patches and instructions to contracted users through support channels. Administrators should follow the vendor’s instructions and complete patch deployment before restoring normal management access.
If teams cannot apply the patch immediately, Canon recommends stopping the GUARDIANWALL MailSuite management screen on the WGW worker server. This workaround can reduce exposure, but it can also disrupt administrative operations.
Canon lists the following command to stop the management process on the WGW worker server:
/etc/init.d/grdn-wgw-work stop
After administrators apply the official patch and complete checks, they can restart the management process with this command:
/etc/init.d/grdn-wgw-work start
Recommended response for security teams
Organizations using affected GUARDIANWALL MailSuite versions should not treat this as a routine update. The public advisory confirms active exploitation, so administrators should combine patching with investigation.
Teams should first identify all affected servers, confirm exposure, and collect relevant logs before making changes that could erase useful evidence. They should then patch, restrict management access, and review authentication and network logs for suspicious activity.
Security teams should also contact Canon’s product support desk if they need help confirming whether their environment has the vulnerable configuration.
- Identify all GUARDIANWALL MailSuite deployments.
- Check version numbers and confirm whether they fall between 1.4.00 and 2.4.26.
- Determine whether the management interface has external exposure.
- Apply Canon’s remediation patch from official support channels.
- Use the temporary workaround if patching cannot happen immediately.
- Restrict management access by IP address wherever possible.
- Preserve and review web service, system, and access logs.
- Look for signs of unauthorized code execution or abnormal process activity.
- Contact Canon support to confirm impact and patch status.
FAQ
CVE-2026-32661 is a critical stack-based buffer overflow vulnerability in GUARDIANWALL MailSuite. It can allow remote attackers to execute arbitrary code through a specially crafted request to the product’s web service.
GUARDIANWALL MailSuite Ver. 1.4.00 through Ver. 2.4.26 are affected. Versions earlier than 1.4.00 and legacy GUARDIANWALL Ver. 7.x and 8.x are not affected by this specific flaw.
Yes. Canon says GUARDIANWALL Mail Security Cloud, the SaaS version, received remediation during maintenance performed on April 30, 2026.
Administrators should apply Canon’s remediation patch, restrict access to the management interface, preserve logs, investigate for compromise, and use Canon’s temporary workaround if they cannot patch immediately.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages