Exploited in the Wild: Critical 9.8 CVSS RCE Hits Canon GUARDIANWALL MailSuite

In a significant security disclosure, JPCERT/CC has issued an advisory regarding a critical stack-based buffer overflow vulnerability in GUARDIANWALL MailSuite, a mail security solution provided by Canon Marketing Japan Inc.. This flaw is not just a theoretical risk; the developer has confirmed that “attacks exploiting the vulnerability has been observed in GUARDIANWALL MailSuite (On-premises version)”.

Carrying a maximum-severity CVSS score of 9.8, this vulnerability represents a “code red” for organizations utilizing affected versions of the software.

The vulnerability, tracked as CVE-2026-32661, is rooted in the pop3wallpasswd command (CWE-121). This critical error allows a remote, unauthenticated attacker to send a specially crafted request to the product’s web service.

The technical requirement for exploitation is specific: “This can be exploited only when the product is configured to run pop3wallpasswd with grdnwww user privilege”. If these conditions are met, the impact is severe, potentially allowing for arbitrary code execution on the target system.

The vulnerability spans both on-premises and cloud-based deployments of the GUARDIANWALL ecosystem:

• GUARDIANWALL MailSuite (On-premises version): All versions from Ver 1.4.00 to Ver 2.4.26 are impacted.
• GUARDIANWALL Mail Security Cloud (SaaS version): Versions deployed before the April 30, 2026 maintenance cycle were vulnerable.

Given that this flaw is currently being exploited in the wild, immediate action is paramount.

The developer has provided patches to resolve the issue. For SaaS customers, the fix was automatically applied during the April 30 update. On-premises administrators are urged to apply all the patches provided by the developer without delay.

If an immediate patch is not possible, a temporary defensive measure can be taken. You can avoid the impact by disabling the GUARDIANWALL MailSuite administration screen.

To implement this, execute the following on the work server (WGW worker):

• Stop the process: # /etc/init.d/grdn-wgw-work stop

The vendor notes that “this workaround will have a significant impact on operations”. Priority should always be given to applying the official file-replacement patches to maintain full functionality while securing the environment.