Refine your search
43 vulnerabilities found for by Vasion
CVE-2025-34210 (GCVE-0-2025-34210)
Vulnerability from cvelistv5
Published
2025-10-02 16:13
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store a large number of sensitive credentials (database passwords, MySQL root password, SaaS keys, Portainer admin password, etc.) in cleartext files that are world-readable. Any local user - or any process that can read the host filesystem - can retrieve all of these secrets in plain text, leading to credential theft and full compromise of the appliance. The vendor does not consider this to be a security vulnerability as this product "follows a shared responsibility model, where administrators are expected to configure persistent storage encryption."
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34210",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T17:35:18.884222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T17:38:45.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-readable-passwords"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"/etc/printercloud/network.env",
"/etc/printercloud/appliance.env",
"/etc/printercloud/previous-db-password.txt",
"/var/www/efs_storage/secrets.env",
"/var/lib/docker/swarm/worker/tasks.db"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"defaultStatus": "unknown",
"modules": [
"/etc/printercloud/network.env",
"/etc/printercloud/appliance.env",
"/etc/printercloud/previous-db-password.txt",
"/var/www/efs_storage/secrets.env",
"/var/lib/docker/swarm/worker/tasks.db"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store a large number of sensitive credentials (database passwords, MySQL root password, SaaS keys, Portainer admin password, etc.) in cleartext files that are world-readable. Any local user - or any process that can read the host filesystem - can retrieve all of these secrets in plain text, leading to credential theft and full compromise of the appliance. The vendor does not consider this to be a security vulnerability as this product \"follows a shared responsibility model, where administrators are expected to configure persistent storage encryption.\"\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store a large number of sensitive credentials (database passwords, MySQL root password, SaaS keys, Portainer admin password, etc.) in cleartext files that are world-readable. Any local user - or any process that can read the host filesystem - can retrieve all of these secrets in plain text, leading to credential theft and full compromise of the appliance. The vendor does not consider this to be a security vulnerability as this product \"follows a shared responsibility model, where administrators are expected to configure persistent storage encryption.\""
}
],
"impacts": [
{
"capecId": "CAPEC-555",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-555 Remote Services with Stolen Credentials"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256: Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:34.684Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-readable-passwords"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-readble-cleartext-passwords"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Readable Cleartext Passwords",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34210",
"datePublished": "2025-10-02T16:13:28.964Z",
"dateReserved": "2025-04-15T19:15:22.571Z",
"dateUpdated": "2025-11-17T23:56:34.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34208 (GCVE-0-2025-34208)
Vulnerability from cvelistv5
Published
2025-10-02 16:13
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP's `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34208",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T17:14:52.780247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T17:37:25.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-incorrect-encryption-algorithms-password"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"/var/www/app/admin/query/server_write_requests_users.php",
"/var/www/app/admin/query/update_database.php",
"/var/www/app/legacy/Login.php",
"/var/www/app/tests/Unit/Api/IdP/IdpControllerTest.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"defaultStatus": "unknown",
"modules": [
"/var/www/app/admin/query/server_write_requests_users.php",
"/var/www/app/admin/query/update_database.php",
"/var/www/app/legacy/Login.php",
"/var/www/app/tests/Unit/Api/IdP/IdpControllerTest.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP\u0027s `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP\u0027s `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform."
}
],
"impacts": [
{
"capecId": "CAPEC-16",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-16 Dictionary-based Password Attack"
}
]
},
{
"capecId": "CAPEC-55",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-55 Rainbow Table Password Cracking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-759",
"description": "CWE-759 Use of a One-Way Hash without a Salt",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:34.293Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-incorrect-encryption-algorithms-password"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-password-hashing"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Insecure Password Hashing",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34208",
"datePublished": "2025-10-02T16:13:06.735Z",
"dateReserved": "2025-04-15T19:15:22.571Z",
"dateUpdated": "2025-11-17T23:56:34.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34217 (GCVE-0-2025-34217)
Vulnerability from cvelistv5
Published
2025-09-30 13:03
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) contain an undocumented 'printerlogic' user with a hardcoded SSH public key in '~/.ssh/authorized_keys' and a sudoers rule granting the printerlogic_ssh group 'NOPASSWD: ALL'. Possession of the matching private key gives an attacker root access to the appliance.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:32:14.456232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:41:52.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-undocumented-hardcoded-ssh-key"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"~/.ssh/authorized_keys"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unknown",
"modules": [
"~/.ssh/authorized_keys"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) contain an undocumented \u0027printerlogic\u0027 user with a hardcoded SSH public key in \u0027~/.ssh/authorized_keys\u0027 and a sudoers rule granting the printerlogic_ssh group \u0027NOPASSWD: ALL\u0027. Possession of the matching private key gives an attacker root access to the appliance.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) contain an undocumented \u0027printerlogic\u0027 user with a hardcoded SSH public key in \u0027~/.ssh/authorized_keys\u0027 and a sudoers rule granting the printerlogic_ssh group \u0027NOPASSWD: ALL\u0027. Possession of the matching private key gives an attacker root access to the appliance."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:35.568Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-undocumented-hardcoded-ssh-key"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-incorrect-encryption-algorithms-used-to-store-passwords"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Undocumented Hardcoded SSH Key",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34217",
"datePublished": "2025-09-30T13:03:05.213Z",
"dateReserved": "2025-04-15T19:15:22.573Z",
"dateUpdated": "2025-11-17T23:56:35.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34235 (GCVE-0-2025-34235)
Vulnerability from cvelistv5
Published
2025-09-29 20:44
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-295 - Improper Certificate Validation
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (Windows client deployments) contain a registry key that can be enabled by administrators, causing the client to skip SSL/TLS certificate validation. An attacker who can intercept HTTPS traffic can then inject malicious driver DLLs, resulting in remote code execution with SYSTEM privileges; a local attacker can achieve local privilege escalation via a junction‑point DLL injection. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34235",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T15:04:44.186500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T15:04:58.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#win-lpe-04"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"HKLM\\SOFTWARE\\PrinterLogic\\PrinterInstaller\\Overrides\\IgnoreCertificateFailures"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"HKLM\\SOFTWARE\\PrinterLogic\\PrinterInstaller\\Overrides\\IgnoreCertificateFailures"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (Windows client deployments) contain a registry key that can be enabled by administrators, causing the client to skip SSL/TLS certificate validation. An attacker who can intercept HTTPS traffic can then inject malicious driver DLLs, resulting in remote code execution with SYSTEM privileges; a local attacker can achieve local privilege escalation via a junction\u2011point DLL injection.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003eThis vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (Windows client deployments) contain a registry key that can be enabled by administrators, causing the client to skip SSL/TLS certificate validation. An attacker who can intercept HTTPS traffic can then inject malicious driver DLLs, resulting in remote code execution with SYSTEM privileges; a local attacker can achieve local privilege escalation via a junction\u2011point DLL injection.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-217",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-217 Exploiting Incorrectly Configured SSL/TLS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:38.182Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#win-lpe-04"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-weak-ssl-tls-certificate-validation-rce"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Weak SSL/TLS Certificate Validation RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34235",
"datePublished": "2025-09-29T20:44:01.002Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:38.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34221 (GCVE-0-2025-34221)
Vulnerability from cvelistv5
Published
2025-09-29 20:43
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 25.2.1518 (VA/SaaS deployments) expose every internal Docker container to the network because firewall rules allow unrestricted traffic to the Docker bridge network. Because no authentication, ACL or client‑side identifier is required, the attacker can interact with any internal API, bypassing the product’s authentication mechanisms entirely. The result is unauthenticated remote access to internal services, allowing credential theft, configuration manipulation and potential remote code execution. This vulnerability has been identified by the vendor as: V-2025-002 — Authentication Bypass - Docker Instances.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34221",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T15:13:23.310817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T15:13:36.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-auth-bypass"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Underlying Docker bridge network (172.17.0.0/16)"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.2.169",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Underlying Docker bridge network (172.17.0.0/16)"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.2.1518",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.2.169",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.2.1518",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169\u0026nbsp;and Application prior to version 25.2.1518\u0026nbsp;(VA/SaaS deployments)\u0026nbsp;expose every internal Docker container to the network because firewall rules allow unrestricted traffic to the Docker bridge network.\u0026nbsp;Because no authentication, ACL or client\u2011side identifier\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is required, the attacker can interact with any internal API, bypassing the product\u2019s authentication mechanisms entirely.\u0026nbsp;The result is unauthenticated remote access to internal services, allowing credential theft, configuration manipulation and potential remote code execution.\u0026nbsp;\u003c/span\u003eThis vulnerability has been identified by the vendor as: V-2025-002 \u2014 Authentication Bypass - Docker Instances.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169\u00a0and Application prior to version 25.2.1518\u00a0(VA/SaaS deployments)\u00a0expose every internal Docker container to the network because firewall rules allow unrestricted traffic to the Docker bridge network.\u00a0Because no authentication, ACL or client\u2011side identifier\u00a0is required, the attacker can interact with any internal API, bypassing the product\u2019s authentication mechanisms entirely.\u00a0The result is unauthenticated remote access to internal services, allowing credential theft, configuration manipulation and potential remote code execution.\u00a0This vulnerability has been identified by the vendor as: V-2025-002 \u2014 Authentication Bypass - Docker Instances."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:36.076Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-auth-bypass"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-unrestriced-access-to-docker-bridge-network"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic)",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34221",
"datePublished": "2025-09-29T20:43:36.637Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:36.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34215 (GCVE-0-2025-34215)
Vulnerability from cvelistv5
Published
2025-09-29 20:43
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (only VA deployments) expose an unauthenticated firmware-upload flow: a public page returns a signed token usable at va-api/v1/update, and every Docker image contains the appliance’s private GPG key and hard-coded passphrase. An attacker who extracts the key and obtains a token can decrypt, modify, re-sign, upload, and trigger malicious firmware, gaining remote code execution. This vulnerability has been identified by the vendor as: V-2024-020 — Remote Code Execution.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34215",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T15:13:51.289719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T15:19:34.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-rce-02"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/admin/design/management_accountts_pcabout.php",
"/va\u2011api/v1/update",
"private key embedded in the appliance"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.1026",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/admin/design/management_accountts_pcabout.php",
"/va\u2011api/v1/update",
"private key embedded in the appliance"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.2702",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.1026",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.2702",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version \u003cspan style=\"background-color: rgb(245, 244, 247);\"\u003e22.0.1026\u003c/span\u003e and Application prior to version \u003cspan style=\"background-color: rgb(245, 244, 247);\"\u003e20.0.2702\u003c/span\u003e (only VA deployments) expose an unauthenticated firmware-upload flow: a public page returns a signed token usable at va-api/v1/update, and every Docker image contains the appliance\u2019s private GPG key and hard-coded passphrase. An attacker who extracts the key and obtains a token can decrypt, modify, re-sign, upload, and trigger malicious firmware, gaining remote code execution.\u0026nbsp;This vulnerability has been identified by the vendor as: V-2024-020 \u2014 Remote Code Execution.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (only VA deployments) expose an unauthenticated firmware-upload flow: a public page returns a signed token usable at va-api/v1/update, and every Docker image contains the appliance\u2019s private GPG key and hard-coded passphrase. An attacker who extracts the key and obtains a token can decrypt, modify, re-sign, upload, and trigger malicious firmware, gaining remote code execution.\u00a0This vulnerability has been identified by the vendor as: V-2024-020 \u2014 Remote Code Execution."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-186",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-186 Malicious Software Update"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:35.197Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-rce-02"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-unauth-firmware-update-endpoint-rce"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Unauthenticated Firmware Update Endpoint RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34215",
"datePublished": "2025-09-29T20:43:12.104Z",
"dateReserved": "2025-04-15T19:15:22.572Z",
"dateUpdated": "2025-11-17T23:56:35.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34224 (GCVE-0-2025-34224)
Vulnerability from cvelistv5
Published
2025-09-29 20:42
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose a set of PHP scripts under the `console_release` directory without requiring authentication. An unauthenticated remote attacker can invoke these endpoints to re‑configure networked printers, add or delete RFID badge devices, or otherwise modify device settings. This vulnerability has been identified by the vendor as: V-2024-029 — No Authentication to Modify Devices.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T15:20:03.213544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T15:20:19.336Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-lack-of-auth-manage-printers"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"console_release directory"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.1049",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"console_release directory"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.2786",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.1049",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.2786",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049\u0026nbsp;and Application prior to version 20.0.2786\u0026nbsp;(VA/SaaS deployments) expose\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;a set of PHP scripts under the `console_release` directory without requiring authentication. An unauthenticated remote attacker can invoke these endpoints to re\u2011configure networked printers, add or delete RFID badge devices, or otherwise modify device settings.\u0026nbsp;\u003c/span\u003eThis vulnerability has been identified by the vendor as: V-2024-029 \u2014 No Authentication to Modify Devices.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049\u00a0and Application prior to version 20.0.2786\u00a0(VA/SaaS deployments) expose\u00a0a set of PHP scripts under the `console_release` directory without requiring authentication. An unauthenticated remote attacker can invoke these endpoints to re\u2011configure networked printers, add or delete RFID badge devices, or otherwise modify device settings.\u00a0This vulnerability has been identified by the vendor as: V-2024-029 \u2014 No Authentication to Modify Devices."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-551",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-551 Modify Existing Service"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:36.592Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-lack-of-auth-manage-printers"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-unauth-device-modification"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Unauthenticated Device Modification",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34224",
"datePublished": "2025-09-29T20:42:51.341Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:36.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34220 (GCVE-0-2025-34220)
Vulnerability from cvelistv5
Published
2025-09-29 20:42
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contains a /api-gateway/identity/search-groups endpoint that does not require authentication. Requests to https://<tenant>.printercloud10.com/api-gateway/identity/search-groups and adjustments to the `Host` header allow an unauthenticated remote attacker to enumerate every group object stored for that tenant. The response includes internal identifiers (group ID, source service ID, Azure AD object IDs, creation timestamps, and tenant IDs). This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34220",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T15:11:03.603239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T15:11:35.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-api-leak"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/api-gateway/identity/search-groups"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/api-gateway/identity/search-groups"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u0026nbsp;and Application prior to version 25.1.1413\u0026nbsp;(VA/SaaS deployments) contains a\u0026nbsp;/api-gateway/identity/search-groups endpoint that does not require authentication.\u0026nbsp;Requests to https://\u0026lt;tenant\u0026gt;.printercloud10.com/api-gateway/identity/search-groups and adjustments to the `Host` header allow an unauthenticated remote attacker to enumerate every group object stored for that tenant. The response includes internal identifiers (group\u202fID, source service ID, Azure AD object IDs, creation timestamps, and tenant IDs). This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contains a\u00a0/api-gateway/identity/search-groups endpoint that does not require authentication.\u00a0Requests to https://\u003ctenant\u003e.printercloud10.com/api-gateway/identity/search-groups and adjustments to the `Host` header allow an unauthenticated remote attacker to enumerate every group object stored for that tenant. The response includes internal identifiers (group\u202fID, source service ID, Azure AD object IDs, creation timestamps, and tenant IDs). This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:35.915Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-api-leak"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-unauth-api-leaks-group-info"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Unauthenticated API Leaks Group Information",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34220",
"datePublished": "2025-09-29T20:42:17.866Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:35.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34222 (GCVE-0-2025-34222)
Vulnerability from cvelistv5
Published
2025-09-29 20:41
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose four admin routes – /admin/hp/cert_upload, /admin/hp/cert_delete, /admin/certs/ca, and /admin/certs/serviceclients/{scid} – without any authentication check. The routes are defined in the /var/www/app/routes/web.php file inside the printercloud/pi Docker container and are handled by the HPCertificateController class, which performs no user validation. An unauthenticated attacker can therefore upload a new TLS/SSL certificate replacing the trusted root used by the appliance, delete an existing certificate causing immediate loss of trust for services that rely on it, or download any stored CA or client certificate via the service‑clients endpoint which also suffers an IDOR that allows enumeration of all client IDs. This vulnerability has been identified by the vendor as: V-2024-028 — Unauthenticated Admin APIs Used to Modify SSL Certificates.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34222",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T15:17:24.591877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T15:17:39.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-apis-02"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/admin/hp/cert_upload",
"/admin/hp/cert_delete",
"/admin/certs/ca",
"/admin/certs/serviceclients/{scid}"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.1049",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/admin/hp/cert_upload",
"/admin/hp/cert_delete",
"/admin/certs/ca",
"/admin/certs/serviceclients/{scid}"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.2786",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.1049",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.2786",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049\u0026nbsp;and Application prior to version 20.0.2786\u0026nbsp;(VA/SaaS deployments)\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;expose four admin routes \u2013 /admin/hp/cert_upload, /admin/hp/cert_delete, /admin/certs/ca, and /admin/certs/serviceclients/{scid} \u2013 without any authentication check.\u0026nbsp;The routes are defined in the /var/www/app/routes/web.php file inside the printercloud/pi Docker container and are handled by the HPCertificateController class, which performs no user validation. An unauthenticated attacker can therefore\u0026nbsp;upload a new TLS/SSL certificate replacing the trusted root used by the appliance, delete an existing certificate causing immediate loss of trust for services that rely on it, or download any stored CA or client certificate via the service\u2011clients endpoint which also suffers an IDOR that allows enumeration of all client IDs.\u0026nbsp;\u003c/span\u003eThis vulnerability has been identified by the vendor as: V-2024-028 \u2014 Unauthenticated Admin APIs Used to Modify SSL Certificates.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049\u00a0and Application prior to version 20.0.2786\u00a0(VA/SaaS deployments)\u00a0expose four admin routes \u2013 /admin/hp/cert_upload, /admin/hp/cert_delete, /admin/certs/ca, and /admin/certs/serviceclients/{scid} \u2013 without any authentication check.\u00a0The routes are defined in the /var/www/app/routes/web.php file inside the printercloud/pi Docker container and are handled by the HPCertificateController class, which performs no user validation. An unauthenticated attacker can therefore\u00a0upload a new TLS/SSL certificate replacing the trusted root used by the appliance, delete an existing certificate causing immediate loss of trust for services that rely on it, or download any stored CA or client certificate via the service\u2011clients endpoint which also suffers an IDOR that allows enumeration of all client IDs.\u00a0This vulnerability has been identified by the vendor as: V-2024-028 \u2014 Unauthenticated Admin APIs Used to Modify SSL Certificates."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:36.247Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-apis-02"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-unauth-admin-apis-used-to-modify-ssl-certs"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Unauthenticated Admin APIs Used to Modify SSL Certificates",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34222",
"datePublished": "2025-09-29T20:41:52.953Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:36.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34228 (GCVE-0-2025-34228)
Vulnerability from cvelistv5
Published
2025-09-29 20:41
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console_release/lexmark/update.php` script is reachable from the internet without any authentication. The PHP script builds URLs from user‑controlled values and then invokes either 'curl_exec()` or `file_get_contents()` without proper validation. Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34228",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T15:18:15.469709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T15:19:07.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-04"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/lexmark/update.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/lexmark/update.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u0026nbsp;and Application prior to version 25.1.1413\u0026nbsp;(VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console_release/lexmark/update.php` script is reachable from the internet without any authentication. The PHP script builds URLs from user\u2011controlled values and then invokes either \u0027curl_exec()` or `file_get_contents()` without proper validation.\u0026nbsp;Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console_release/lexmark/update.php` script is reachable from the internet without any authentication. The PHP script builds URLs from user\u2011controlled values and then invokes either \u0027curl_exec()` or `file_get_contents()` without proper validation.\u00a0Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:36.926Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-04"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-lexmark-update-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) SSRF via Lexmark update.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34228",
"datePublished": "2025-09-29T20:41:29.156Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:36.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34229 (GCVE-0-2025-34229)
Vulnerability from cvelistv5
Published
2025-09-29 20:41
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/installApp.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer’s host name in the variable $printer_vo->str_host_address. The code later builds a URL like 'http://<host‑address>:80/DevMgmt/DiscoveryTree.xml' and sends the request with curl. No validation, whitelist, or private‑network filtering is performed before the request is made. Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34229",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T15:20:26.023204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T15:21:11.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-05"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/installApp.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/installApp.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u0026nbsp;and Application prior to version 25.1.1413\u0026nbsp;(VA/SaaS deployments) contain a\u0026nbsp;blind server-side request forgery (SSRF) vulnerability reachable via the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/var/www/app/console_release/hp/installApp.php\u003c/span\u003e script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u0026gt;str_host_address. The code later builds a URL like \u0027http://\u0026lt;host\u2011address\u0026gt;:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u0026nbsp;Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contain a\u00a0blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/installApp.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u003estr_host_address. The code later builds a URL like \u0027http://\u003chost\u2011address\u003e:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u00a0Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.130Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-05"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-hp-update-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Blind SSRF via HP installApp.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34229",
"datePublished": "2025-09-29T20:41:05.882Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:37.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34230 (GCVE-0-2025-34230)
Vulnerability from cvelistv5
Published
2025-09-29 20:40
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/log_off_single_sign_on.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer’s host name in the variable $printer_vo->str_host_address. The code later builds a URL like 'http://<host‑address>:80/DevMgmt/DiscoveryTree.xml' and sends the request with curl. No validation, whitelist, or private‑network filtering is performed before the request is made. Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34230",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T15:21:27.562487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T15:21:42.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-06"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/log_off_single_sign_on.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/log_off_single_sign_on.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/var/www/app/console_release/hp/log_off_single_sign_on.php\u003c/span\u003e\u003c/span\u003e script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u0026gt;str_host_address. The code later builds a URL like \u0027http://\u0026lt;host\u2011address\u0026gt;:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u0026nbsp;Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/log_off_single_sign_on.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u003estr_host_address. The code later builds a URL like \u0027http://\u003chost\u2011address\u003e:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u00a0Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.313Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-06"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-hp-log-off-single-sign-on-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Blind SSRF via HP log_off_single_sign_on.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34230",
"datePublished": "2025-09-29T20:40:39.074Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:37.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34231 (GCVE-0-2025-34231)
Vulnerability from cvelistv5
Published
2025-09-29 20:40
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The '/var/www/app/console_release/hp/badgeSetup.php' script is reachable from the Internet without any authentication and builds URLs from user‑controlled parameters before invoking either the custom processCurl() function or PHP’s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP‑range validation, or outbound‑network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34231",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:32:50.691740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:42:25.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-07"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/badgeSetup.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/badgeSetup.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u0026nbsp;and Application prior to version 25.1.1413\u0026nbsp;(VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The \u0027/var/www/app/console_release/hp/badgeSetup.php\u0027 script is reachable from the Internet without any authentication and builds URLs from user\u2011controlled parameters before invoking either the custom processCurl() function or PHP\u2019s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP\u2011range validation, or outbound\u2011network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration.\u0026nbsp;This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The \u0027/var/www/app/console_release/hp/badgeSetup.php\u0027 script is reachable from the Internet without any authentication and builds URLs from user\u2011controlled parameters before invoking either the custom processCurl() function or PHP\u2019s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP\u2011range validation, or outbound\u2011network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.493Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-07"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-hp-badgesetup-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) SSRF via HP badgeSetup.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34231",
"datePublished": "2025-09-29T20:40:11.596Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:37.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34225 (GCVE-0-2025-34225)
Vulnerability from cvelistv5
Published
2025-09-29 20:39
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `console_release` directory is reachable from the internet without any authentication. Inside that directory are dozens of PHP scripts that build URLs from user‑controlled values and then invoke either 'curl_exec()` or `file_get_contents()` without proper validation. Although many files attempt to mitigate SSRF by calling `filter_var', the checks are incomplete. Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34225",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:32:59.178830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:42:32.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-03"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"console_release directory"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"console_release directory"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u0026nbsp;and Application prior to version 25.1.1413\u0026nbsp;(VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `console_release` directory is reachable from the internet without any authentication. Inside that directory are dozens of PHP scripts that build URLs from user\u2011controlled values and then invoke either \u0027curl_exec()` or `file_get_contents()` without proper validation.\u0026nbsp;Although many files attempt to mitigate SSRF by calling `filter_var\u0027, the checks are incomplete. Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `console_release` directory is reachable from the internet without any authentication. Inside that directory are dozens of PHP scripts that build URLs from user\u2011controlled values and then invoke either \u0027curl_exec()` or `file_get_contents()` without proper validation.\u00a0Although many files attempt to mitigate SSRF by calling `filter_var\u0027, the checks are incomplete. Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:36.757Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-03"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-console-release-directory"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) SSRF via console_release Directory",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34225",
"datePublished": "2025-09-29T20:39:49.179Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:36.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34216 (GCVE-0-2025-34216)
Vulnerability from cvelistv5
Published
2025-09-29 20:39
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (VA deployments only) expose a set of unauthenticated REST API endpoints that return configuration files and clear‑text passwords. The same endpoints also disclose the Laravel APP_KEY used for cryptographic signing. Because the APP_KEY is required to generate valid signed requests, an attacker who obtains it can craft malicious payloads that are accepted by the application and achieve remote code execution on the appliance. This vulnerability has been identified by the vendor as: V-2024-018 — RCE & Leaks via API.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34216",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:33:08.626686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:42:38.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-rce-03"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/va\u2011api/v1/storage/secrets.env",
"/va\u2011api/v1/services"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.1026",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/va\u2011api/v1/storage/secrets.env",
"/va\u2011api/v1/services"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.2702",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.1026",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.2702",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026\u0026nbsp;and Application prior to version 20.0.2702\u0026nbsp;(VA deployments only)\u0026nbsp;expose a set of unauthenticated REST API endpoints that return configuration files and clear\u2011text passwords. The same endpoints also disclose the Laravel APP_KEY used for cryptographic signing. \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBecause the APP_KEY is required to generate valid signed requests, an attacker who obtains it can craft malicious payloads that are accepted by the application and achieve remote code execution on the appliance.\u0026nbsp;\u003c/span\u003eThis vulnerability has been identified by the vendor as: V-2024-018 \u2014 RCE \u0026amp; Leaks via API.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026\u00a0and Application prior to version 20.0.2702\u00a0(VA deployments only)\u00a0expose a set of unauthenticated REST API endpoints that return configuration files and clear\u2011text passwords. The same endpoints also disclose the Laravel APP_KEY used for cryptographic signing. Because the APP_KEY is required to generate valid signed requests, an attacker who obtains it can craft malicious payloads that are accepted by the application and achieve remote code execution on the appliance.\u00a0This vulnerability has been identified by the vendor as: V-2024-018 \u2014 RCE \u0026 Leaks via API."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:35.369Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-rce-03"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-rce-and-password-leaks-via-api"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) RCE and Password Leaks via API",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34216",
"datePublished": "2025-09-29T20:39:13.361Z",
"dateReserved": "2025-04-15T19:15:22.573Z",
"dateUpdated": "2025-11-17T23:56:35.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34233 (GCVE-0-2025-34233)
Vulnerability from cvelistv5
Published
2025-09-29 20:38
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE‑693 Protection Mechanism Failure
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a protection mechanism failure vulnerability within the file_get_contents() function. When an administrator configures a printer’s hostname (or similar callback field), the value is passed unchecked to PHP’s file_get_contents()/cURL functions, which follow redirects and impose no allow‑list, scheme, or IP‑range restrictions. An admin‑level attacker can therefore point the hostname to a malicious web server that issues a 301 redirect to internal endpoints such as the AWS EC2 metadata service. The server follows the redirect, retrieves the metadata, and returns or stores the credentials, enabling the attacker to steal cloud IAM keys, enumerate internal services, and pivot further into the SaaS infrastructure. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34233",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:33:17.330504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:42:13.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"file_get_contents()"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"file_get_contents()"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a protection mechanism failure vulnerability within the file_get_contents() function.\u0026nbsp;When an administrator configures a printer\u2019s hostname (or similar callback field), the value is passed unchecked to PHP\u2019s file_get_contents()/cURL functions, which follow redirects and impose no allow\u2011list, scheme, or IP\u2011range restrictions. An admin\u2011level attacker can therefore point the hostname to a malicious web server that issues a 301 redirect to internal endpoints such as the AWS EC2 metadata service.\u0026nbsp;The server follows the redirect, retrieves the metadata, and returns or stores the credentials, enabling the attacker to steal cloud IAM keys, enumerate internal services, and pivot further into the SaaS infrastructure. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a protection mechanism failure vulnerability within the file_get_contents() function.\u00a0When an administrator configures a printer\u2019s hostname (or similar callback field), the value is passed unchecked to PHP\u2019s file_get_contents()/cURL functions, which follow redirects and impose no allow\u2011list, scheme, or IP\u2011range restrictions. An admin\u2011level attacker can therefore point the hostname to a malicious web server that issues a 301 redirect to internal endpoints such as the AWS EC2 metadata service.\u00a0The server follows the redirect, retrieves the metadata, and returns or stores the credentials, enabling the attacker to steal cloud IAM keys, enumerate internal services, and pivot further into the SaaS infrastructure. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u2011693 Protection Mechanism Failure",
"lang": "en"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.811Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-use-file_get_contents"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-use-of-file-get-contents-function"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Insecure Use of file_get_contents()",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34233",
"datePublished": "2025-09-29T20:38:49.403Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:37.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34207 (GCVE-0-2025-34207)
Vulnerability from cvelistv5
Published
2025-09-29 20:38
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.1049 and Application prior to 20.0.2786 (VA and SaaS deployments) configure the SSH client within Docker instances with the following options: `UserKnownHostsFile=/dev/null`, `StrictHostKeyChecking=no`, and `ForwardAgent yes`. These settings disable verification of the remote host’s SSH key and automatically forward the developer’s SSH‑agent to any host that matches the configured wildcard patterns. As a result, an attacker who can reach a single compromised container can cause the container to connect to a malicious SSH server, capture the forwarded private keys, and use those keys for unrestricted lateral movement across the environment. This vulnerability has been identified by the vendor as: V-2024-027 — Insecure Secure Shell (SSH) Configuration.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34207",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:33:23.255671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:42:46.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-ssh-config"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Docker container scripts"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.1049",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Docker container scripts"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.2786",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.1049",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.2786",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.1049 and Application prior to 20.0.2786 (VA and SaaS deployments)\u0026nbsp;configure the SSH client within Docker instances with the following options: `UserKnownHostsFile=/dev/null`, `StrictHostKeyChecking=no`, and `ForwardAgent yes`. These settings disable verification of the remote host\u2019s SSH key and automatically forward the developer\u2019s SSH\u2011agent to any host that matches the configured wildcard patterns. As a result, an attacker who can reach a single compromised container can cause the container to connect to a malicious SSH server, capture the forwarded private keys, and use those keys for unrestricted lateral movement across the environment.\u0026nbsp;This vulnerability has been identified by the vendor as: V-2024-027 \u2014 Insecure Secure Shell (SSH) Configuration.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.1049 and Application prior to 20.0.2786 (VA and SaaS deployments)\u00a0configure the SSH client within Docker instances with the following options: `UserKnownHostsFile=/dev/null`, `StrictHostKeyChecking=no`, and `ForwardAgent yes`. These settings disable verification of the remote host\u2019s SSH key and automatically forward the developer\u2019s SSH\u2011agent to any host that matches the configured wildcard patterns. As a result, an attacker who can reach a single compromised container can cause the container to connect to a malicious SSH server, capture the forwarded private keys, and use those keys for unrestricted lateral movement across the environment.\u00a0This vulnerability has been identified by the vendor as: V-2024-027 \u2014 Insecure Secure Shell (SSH) Configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-234",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-234 Hijacking a privileged process"
}
]
},
{
"capecId": "CAPEC-22",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-22 Exploiting Trust in Client"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:34.114Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-ssh-config"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-ssh-client-config"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Insecure SSH Client Configuration",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34207",
"datePublished": "2025-09-29T20:38:29.682Z",
"dateReserved": "2025-04-15T19:15:22.571Z",
"dateUpdated": "2025-11-17T23:56:34.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34223 (GCVE-0-2025-34223)
Vulnerability from cvelistv5
Published
2025-09-29 20:38
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) contain a default admin account and an installation‑time endpoint at `/admin/query/update_database.php` that can be accessed without authentication. An attacker who can reach the installation web interface can POST arbitrary `root_user` and `root_password` values, causing the script to replace the default admin credentials with attacker‑controlled ones. The script also contains hard‑coded SHA‑512 and SHA‑1 hashes of the default password, allowing the attacker to bypass password‑policy validation. As a result, an unauthenticated remote attacker can obtain full administrative control of the system during the initial setup. This vulnerability has been identified by the vendor as: V-2024-022 — Insecure Installation Credentials.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34223",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:33:31.558514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:42:52.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-credentials-installation"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/admin/query/update_database.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.1049",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/admin/query/update_database.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.2786",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.1049",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.2786",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049\u0026nbsp;and Application prior to version 20.0.2786\u0026nbsp;(VA/SaaS deployments) contain\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;a default admin account\u0026nbsp;and an installation\u2011time endpoint at `/admin/query/update_database.php` that can be accessed without authentication. An attacker who can reach the installation web interface can POST arbitrary `root_user` and `root_password` values, causing the script to replace the default admin credentials with attacker\u2011controlled ones. The script also contains hard\u2011coded SHA\u2011512 and SHA\u20111 hashes of the default password, allowing the attacker to bypass password\u2011policy validation. As a result, an unauthenticated remote attacker can obtain full administrative control of the system during the initial setup.\u0026nbsp;\u003c/span\u003eThis vulnerability has been identified by the vendor as: V-2024-022 \u2014 Insecure Installation Credentials.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049\u00a0and Application prior to version 20.0.2786\u00a0(VA/SaaS deployments) contain\u00a0a default admin account\u00a0and an installation\u2011time endpoint at `/admin/query/update_database.php` that can be accessed without authentication. An attacker who can reach the installation web interface can POST arbitrary `root_user` and `root_password` values, causing the script to replace the default admin credentials with attacker\u2011controlled ones. The script also contains hard\u2011coded SHA\u2011512 and SHA\u20111 hashes of the default password, allowing the attacker to bypass password\u2011policy validation. As a result, an unauthenticated remote attacker can obtain full administrative control of the system during the initial setup.\u00a0This vulnerability has been identified by the vendor as: V-2024-022 \u2014 Insecure Installation Credentials."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-653",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-653 Use of Known Operating System Credentials"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:36.415Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-credentials-installation"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-installation-credentials"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Insecure Installation Credentials",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34223",
"datePublished": "2025-09-29T20:38:05.154Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:36.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34212 (GCVE-0-2025-34212)
Vulnerability from cvelistv5
Published
2025-09-29 20:36
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T03:55:55.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Provision script va\u2011build\u2011node.sh",
"Jenkins user sudo configuration",
"Build system Docker\u2011Compose (/opt/docker-compose.yaml)"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.843",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Provision script va\u2011build\u2011node.sh",
"Jenkins user sudo configuration",
"Build system Docker\u2011Compose (/opt/docker-compose.yaml)"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.1923",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.843",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.1923",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843\u0026nbsp;and Application prior to version 20.0.1923\u0026nbsp;(VA/SaaS deployments) possess\u0026nbsp;CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 \u2014 Supply Chain Attack.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843\u00a0and Application prior to version 20.0.1923\u00a0(VA/SaaS deployments) possess\u00a0CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 \u2014 Supply Chain Attack."
}
],
"impacts": [
{
"capecId": "CAPEC-186",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-186 Malicious Software Update"
}
]
},
{
"capecId": "CAPEC-678",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-678 System Build Data Maliciously Altered"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494 Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:35.033Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-build-pipeline"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Insecure Build Pipeline",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34212",
"datePublished": "2025-09-29T20:36:51.280Z",
"dateReserved": "2025-04-15T19:15:22.571Z",
"dateUpdated": "2025-11-17T23:56:35.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34211 (GCVE-0-2025-34211)
Vulnerability from cvelistv5
Published
2025-09-29 20:36
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA and SaaS deployments) contain a private SSL key and matching public certificate stored in cleartext. The key belongs to the hostname `pl‑local.com` and is used by the appliance to terminate TLS connections on ports 80/443. Because the key is hardcoded, any attacker who can gain container-level access can simply read the files and obtain the private key. With the private key, the attacker can decrypt TLS traffic, perform man-in-the-middle attacks, or forge TLS certificates. This enables impersonation of the appliance’s web UI, interception of credentials, and unrestricted access to any services that trust the certificate. The same key is identical across all deployed appliances meaning a single theft compromises the confidentiality of every Vasion Print installation. This vulnerability has been identified by the vendor as: V-2024-025 — Hardcoded SSL Certificate & Private Keys.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:33:48.936539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:43:06.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-ssl-private-key"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/etc/ssl/private/pl\u2011local.com.key",
"/etc/ssl/certs/pl\u2011local.com.pe"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.1049",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/etc/ssl/private/pl\u2011local.com.key",
"/etc/ssl/certs/pl\u2011local.com.pe"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.2786",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.1049",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.2786",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA and SaaS deployments) contain a private SSL key and matching public certificate stored in cleartext.\u0026nbsp;The key belongs to the hostname `pl\u2011local.com` and is used by the appliance to terminate TLS connections on ports 80/443. Because the key is hardcoded, any attacker who can gain container-level access can simply read the files and obtain the private key. With the private key, the attacker can decrypt TLS traffic, perform man-in-the-middle attacks, or forge TLS certificates.\u0026nbsp;This enables impersonation of the appliance\u2019s web UI, interception of credentials, and unrestricted access to any services that trust the certificate. The same key is identical across all deployed appliances meaning a single theft compromises the confidentiality of every Vasion Print installation.\u0026nbsp;This vulnerability has been identified by the vendor as: V-2024-025 \u2014 Hardcoded SSL Certificate \u0026amp; Private Keys.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA and SaaS deployments) contain a private SSL key and matching public certificate stored in cleartext.\u00a0The key belongs to the hostname `pl\u2011local.com` and is used by the appliance to terminate TLS connections on ports 80/443. Because the key is hardcoded, any attacker who can gain container-level access can simply read the files and obtain the private key. With the private key, the attacker can decrypt TLS traffic, perform man-in-the-middle attacks, or forge TLS certificates.\u00a0This enables impersonation of the appliance\u2019s web UI, interception of credentials, and unrestricted access to any services that trust the certificate. The same key is identical across all deployed appliances meaning a single theft compromises the confidentiality of every Vasion Print installation.\u00a0This vulnerability has been identified by the vendor as: V-2024-025 \u2014 Hardcoded SSL Certificate \u0026 Private Keys."
}
],
"impacts": [
{
"capecId": "CAPEC-474",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-474 Signature Spoofing by Key Theft"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:34.861Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-ssl-private-key"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-hardcoded-ssl-certificate-and-private-keys"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Hardcoded SSL Certificate and Private Keys",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34211",
"datePublished": "2025-09-29T20:36:26.157Z",
"dateReserved": "2025-04-15T19:15:22.571Z",
"dateUpdated": "2025-11-17T23:56:34.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34209 (GCVE-0-2025-34209)
Vulnerability from cvelistv5
Published
2025-09-29 20:35
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.862 and Application prior to 20.0.2014 (VA and SaaS deployments) contain Docker images with the private GPG key and passphrase for the account *no‑reply+virtual‑appliance@printerlogic.com*. The key is stored in cleartext and the passphrase is hardcoded in files. An attacker with administrative access to the appliance can extract the private key, import it into their own system, and subsequently decrypt GPG-encrypted files and sign arbitrary firmware update packages. A maliciously signed update can be uploaded by an admin‑level attacker and will be executed by the appliance, giving the attacker full control of the virtual appliance. This vulnerability has been identified by the vendor as: V-2023-010 — Hardcoded Private Key.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34209",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:33:57.998509Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:43:11.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-private-gpg-key"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Docker images \u2013 embedded GPG key pair",
"Firmware\u2011update signing workflow"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.862",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Docker images \u2013 embedded GPG key pair",
"Firmware\u2011update signing workflow"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.2014",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.862",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.2014",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.862 and Application prior to 20.0.2014 (VA and SaaS deployments)\u0026nbsp;contain Docker images with the private GPG key and passphrase for the account *no\u2011reply+virtual\u2011appliance@printerlogic.com*.\u0026nbsp;The key is stored in cleartext and the passphrase is hardcoded in files.\u0026nbsp;An attacker with administrative access to the appliance can extract the private key, import it into their own system, and subsequently decrypt GPG-encrypted files and sign arbitrary firmware update packages.\u0026nbsp;A maliciously signed update can be uploaded by an admin\u2011level attacker and will be executed by the appliance, giving the attacker full control of the virtual appliance.\u0026nbsp;This vulnerability has been identified by the vendor as: V-2023-010 \u2014 Hardcoded Private Key.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.862 and Application prior to 20.0.2014 (VA and SaaS deployments)\u00a0contain Docker images with the private GPG key and passphrase for the account *no\u2011reply+virtual\u2011appliance@printerlogic.com*.\u00a0The key is stored in cleartext and the passphrase is hardcoded in files.\u00a0An attacker with administrative access to the appliance can extract the private key, import it into their own system, and subsequently decrypt GPG-encrypted files and sign arbitrary firmware update packages.\u00a0A maliciously signed update can be uploaded by an admin\u2011level attacker and will be executed by the appliance, giving the attacker full control of the virtual appliance.\u00a0This vulnerability has been identified by the vendor as: V-2023-010 \u2014 Hardcoded Private Key."
}
],
"impacts": [
{
"capecId": "CAPEC-474",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-474 Signature Spoofing by Key Theft"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:34.498Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-private-gpg-key"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-hardcoded-gpg-private-key"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Hardcoded GPG Private Key",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34209",
"datePublished": "2025-09-29T20:35:11.366Z",
"dateReserved": "2025-04-15T19:15:22.571Z",
"dateUpdated": "2025-11-17T23:56:34.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34234 (GCVE-0-2025-34234)
Vulnerability from cvelistv5
Published
2025-09-29 20:34
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-321 - Use of Hard‑coded Cryptographic Key
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES‑256‑CBC encryption/decryption of the “SaaS Id” (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. Because the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34234",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:34:06.710551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:43:18.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-key"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"printerlogic/pi",
"printerlogic/printer-admin-api",
"printercloud/pi",
"/var/www/app/config/",
"keyfile.ppk.dev",
"keyfile.saasid.ppk.dev"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"printerlogic/pi",
"printerlogic/printer-admin-api",
"printercloud/pi",
"/var/www/app/config/",
"keyfile.ppk.dev",
"keyfile.saasid.ppk.dev"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES\u2011256\u2011CBC encryption/decryption of the \u201cSaaS Id\u201d (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBecause the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key.\u0026nbsp;\u003c/span\u003eThis vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES\u2011256\u2011CBC encryption/decryption of the \u201cSaaS Id\u201d (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. Because the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard\u2011coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.989Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-key"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-hardcoded-encryption-private-keys"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Hardcoded Encryption Private Keys",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34234",
"datePublished": "2025-09-29T20:34:45.051Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:37.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34218 (GCVE-0-2025-34218)
Vulnerability from cvelistv5
Published
2025-09-29 20:34
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose internal Docker containers through the gw Docker instance. The gateway publishes a /meta endpoint which lists every micro‑service container together with version information. These containers are reachable directly over HTTP/HTTPS without any access‑control list (ACL), authentication or rate‑limiting. Consequently, any attacker on the LAN or the Internet can enumerate all internal services and their versions, interact with the exposed APIs of each microservice as an unauthenticated user, or issue malicious requests that may lead to information disclosure, privilege escalation within the container, or denial‑of‑service of the entire appliance. The root cause is the absence of authentication and network‑level restrictions on the API‑gateway’s proxy to internal Docker containers, effectively turning the internal service mesh into a public attack surface. This vulnerability has been identified by the vendor as: V-2024-030 — Exposed Internal Docker Instance (LAN).
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T03:55:54.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-exposed-docker-instances"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"http://gw.10.105.0.60/meta",
"https://gw.app.printercloud10.com/meta",
"https://gw.app.printercloud10.com/\u003ccontainer\u2011name\u003e/\u2026"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.1049",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"http://gw.10.105.0.60/meta",
"https://gw.app.printercloud10.com/meta",
"https://gw.app.printercloud10.com/\u003ccontainer\u2011name\u003e/\u2026"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.2786",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.1049",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.2786",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049\u0026nbsp;and Application prior to version 20.0.2786\u0026nbsp;(VA/SaaS deployments)\u0026nbsp;expose internal Docker containers through the gw\u0026nbsp;Docker instance. The gateway publishes a /meta endpoint\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;which lists every micro\u2011service container together with version information.\u0026nbsp;These containers are reachable directly over HTTP/HTTPS\u0026nbsp;without any access\u2011control list (ACL), authentication or rate\u2011limiting.\u0026nbsp;Consequently, any attacker on the LAN or the Internet can enumerate all internal services and their versions, interact with the exposed APIs of each microservice as an unauthenticated user, or issue malicious requests that may lead to information disclosure, privilege escalation within the container, or denial\u2011of\u2011service of the entire appliance.\u0026nbsp;The root cause is the absence of authentication and network\u2011level restrictions on the API\u2011gateway\u2019s proxy to internal Docker containers, effectively turning the internal service mesh into a public attack surface.\u0026nbsp;\u003c/span\u003eThis vulnerability has been identified by the vendor as: V-2024-030 \u2014 Exposed Internal Docker Instance (LAN).\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049\u00a0and Application prior to version 20.0.2786\u00a0(VA/SaaS deployments)\u00a0expose internal Docker containers through the gw\u00a0Docker instance. The gateway publishes a /meta endpoint\u00a0which lists every micro\u2011service container together with version information.\u00a0These containers are reachable directly over HTTP/HTTPS\u00a0without any access\u2011control list (ACL), authentication or rate\u2011limiting.\u00a0Consequently, any attacker on the LAN or the Internet can enumerate all internal services and their versions, interact with the exposed APIs of each microservice as an unauthenticated user, or issue malicious requests that may lead to information disclosure, privilege escalation within the container, or denial\u2011of\u2011service of the entire appliance.\u00a0The root cause is the absence of authentication and network\u2011level restrictions on the API\u2011gateway\u2019s proxy to internal Docker containers, effectively turning the internal service mesh into a public attack surface.\u00a0This vulnerability has been identified by the vendor as: V-2024-030 \u2014 Exposed Internal Docker Instance (LAN)."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:35.734Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-exposed-docker-instances"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-exposed-internal-docker-instance"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Exposed Internal Docker Instance",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34218",
"datePublished": "2025-09-29T20:34:23.512Z",
"dateReserved": "2025-04-15T19:15:22.573Z",
"dateUpdated": "2025-11-17T23:56:35.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34232 (GCVE-0-2025-34232)
Vulnerability from cvelistv5
Published
2025-09-29 20:34
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/lexmark/dellCheck.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer’s host name in the variable $printer_vo->str_host_address. The code later builds a URL like 'http://<host‑address>:80/DevMgmt/DiscoveryTree.xml' and sends the request with curl. No validation, whitelist, or private‑network filtering is performed before the request is made. Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34232",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:34:24.758273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:43:33.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-08"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/lexmark/dellCheck.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/lexmark/dellCheck.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/var/www/app/console_release/lexmark/dellCheck.php\u003c/span\u003e\u003c/span\u003e script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u0026gt;str_host_address. The code later builds a URL like \u0027http://\u0026lt;host\u2011address\u0026gt;:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u0026nbsp;Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/lexmark/dellCheck.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u003estr_host_address. The code later builds a URL like \u0027http://\u003chost\u2011address\u003e:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u00a0Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.646Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-08"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-blind-ssrf-via-lexmark-dellcheck-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Blind SSRF via Lexmark dellCheck.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34232",
"datePublished": "2025-09-29T20:34:00.950Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:37.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34196 (GCVE-0-2025-34196)
Vulnerability from cvelistv5
Published
2025-09-29 19:11
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application prior to 25.1.1413 (Windows client deployments) contain a hardcoded private key for the PrinterLogic Certificate Authority (CA) and a hardcoded password in product configuration files. The Windows client ships the CA certificate and its associated private key (and other sensitive settings such as a configured password) directly in shipped configuration files (for example clientsettings.dat and defaults.ini). An attacker who obtains these files can impersonate the CA, sign arbitrary certificates trusted by the Windows client, intercept or decrypt TLS-protected communications, and otherwise perform man-in-the-middle or impersonation attacks against the product's network communications. This vulnerability has been identified by the vendor as: V-2022-001 — Configuration File Contains CA & Private Key.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T03:55:14.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PrinterInstallerClient configuration (clientsettings.dat",
"defaults.ini)"
],
"platforms": [
"Windows"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"PrinterInstallerClient configuration (clientsettings.dat",
"defaults.ini)"
],
"platforms": [
"Windows"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application prior to 25.1.1413 (Windows client deployments) contain a hardcoded private key for the PrinterLogic Certificate Authority (CA) and a hardcoded password in product configuration files. The Windows client ships the CA certificate and its associated private key (and other sensitive settings such as a configured password) directly in shipped configuration files (for example clientsettings.dat and defaults.ini). An attacker who obtains these files can impersonate the CA, sign arbitrary certificates trusted by the Windows client, intercept or decrypt TLS-protected communications, and otherwise perform man-in-the-middle or impersonation attacks against the product\u0027s network communications.\u0026nbsp;This vulnerability has been identified by the vendor as: V-2022-001 \u2014 Configuration File Contains CA \u0026amp; Private Key.\u003c/p\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application prior to 25.1.1413 (Windows client deployments) contain a hardcoded private key for the PrinterLogic Certificate Authority (CA) and a hardcoded password in product configuration files. The Windows client ships the CA certificate and its associated private key (and other sensitive settings such as a configured password) directly in shipped configuration files (for example clientsettings.dat and defaults.ini). An attacker who obtains these files can impersonate the CA, sign arbitrary certificates trusted by the Windows client, intercept or decrypt TLS-protected communications, and otherwise perform man-in-the-middle or impersonation attacks against the product\u0027s network communications.\u00a0This vulnerability has been identified by the vendor as: V-2022-001 \u2014 Configuration File Contains CA \u0026 Private Key."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:32.107Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#win-hardcoded-private-key"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-hardcoded-printerlogic-ca-private-key-and-hardcoded-password"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Vasion Print (formerly PrinterLogic) Hardcoded PrinterLogic CA Private Key and Hardcoded Password",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34196",
"datePublished": "2025-09-29T19:11:16.044Z",
"dateReserved": "2025-04-15T19:15:22.570Z",
"dateUpdated": "2025-11-17T23:56:32.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34191 (GCVE-0-2025-34191)
Vulnerability from cvelistv5
Published
2025-09-19 18:51
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (macOS/Linux client deployments) contain an arbitrary file write vulnerability via the response file handling. When tasks produce output the service writes response data into files under /opt/PrinterInstallerClient/tmp/responses/ reusing the requested filename. The service follows symbolic links in the responses directory and writes as the service user (typically root), allowing a local, unprivileged user to cause the service to overwrite or create arbitrary files on the filesystem as root. This can be used to modify configuration files, replace or inject binaries or drivers, and otherwise achieve local privilege escalation and full system compromise. This vulnerability has been identified by the vendor as: V-2023-019 — Arbitrary File Write as Root.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-20T03:55:44.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PrinterInstallerClient response handling (tmp/responses)"
],
"platforms": [
"MacOS",
"Linux"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.843",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"PrinterInstallerClient response handling (tmp/responses)"
],
"platforms": [
"MacOS",
"Linux"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.1923",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.843",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.1923",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003eVasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (macOS/Linux client deployments) contain an arbitrary file write vulnerability via the response file handling. When tasks produce output the service writes response data into files under /opt/PrinterInstallerClient/tmp/responses/ reusing the requested filename. The service follows symbolic links in the responses directory and writes as the service user (typically root), allowing a local, unprivileged user to cause the service to overwrite or create arbitrary files on the filesystem as root. This can be used to modify configuration files, replace or inject binaries or drivers, and otherwise achieve local privilege escalation and full system compromise.\u0026nbsp;This vulnerability has been identified by the vendor as: V-2023-019 \u2014 Arbitrary File Write as Root.\u003c/div\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (macOS/Linux client deployments) contain an arbitrary file write vulnerability via the response file handling. When tasks produce output the service writes response data into files under /opt/PrinterInstallerClient/tmp/responses/ reusing the requested filename. The service follows symbolic links in the responses directory and writes as the service user (typically root), allowing a local, unprivileged user to cause the service to overwrite or create arbitrary files on the filesystem as root. This can be used to modify configuration files, replace or inject binaries or drivers, and otherwise achieve local privilege escalation and full system compromise.\u00a0This vulnerability has been identified by the vendor as: V-2023-019 \u2014 Arbitrary File Write as Root."
}
],
"impacts": [
{
"capecId": "CAPEC-121",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-121 Exploit Non-Production Interfaces"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Following",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:31.228Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#mac-arbitrary-file-write"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-arbitrary-file-write-as-root-via-response-path-symlink-follow"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Vasion Print (formerly PrinterLogic) Arbitrary File Write as Root via Response Path Symlink Follow",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34191",
"datePublished": "2025-09-19T18:51:42.645Z",
"dateReserved": "2025-04-15T19:15:22.569Z",
"dateUpdated": "2025-11-17T23:56:31.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34190 (GCVE-0-2025-34190)
Vulnerability from cvelistv5
Published
2025-09-19 18:51
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 (macOS/Linux client deployments) are vulnerable to an authentication bypass in PrinterInstallerClientService. The service requires root privileges for certain administrative operations, but these checks rely on calls to geteuid(). By preloading a malicious shared object overriding geteuid(), a local attacker can trick the service into believing it is running with root privileges. This bypass enables execution of administrative commands (e.g., enabling debug mode, managing configurations, or invoking privileged features) without proper authorization. While some actions requiring write access to protected files may still fail, the flaw effectively breaks the intended security model of the inter-process communication (IPC) system, allowing local attackers to escalate privileges and compromise system integrity. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Application |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-20T03:55:45.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"PrinterInstallerClientService"
],
"platforms": [
"MacOS",
"Linux"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unknown",
"modules": [
"PrinterInstallerClientService"
],
"platforms": [
"MacOS",
"Linux"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eVasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 (macOS/Linux client deployments) are vulnerable to an authentication bypass in PrinterInstallerClientService. The service requires root privileges for certain administrative operations, but these checks rely on calls to geteuid(). By preloading a malicious shared object overriding geteuid(), a local attacker can trick the service into believing it is running with root privileges. This bypass enables execution of administrative commands (e.g., enabling debug mode, managing configurations, or invoking privileged features) without proper authorization. While some actions requiring write access to protected files may still fail, the flaw effectively breaks the intended security model of the inter-process communication (IPC) system, allowing local attackers to escalate privileges and compromise system integrity.\u0026nbsp;This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 (macOS/Linux client deployments) are vulnerable to an authentication bypass in PrinterInstallerClientService. The service requires root privileges for certain administrative operations, but these checks rely on calls to geteuid(). By preloading a malicious shared object overriding geteuid(), a local attacker can trick the service into believing it is running with root privileges. This bypass enables execution of administrative commands (e.g., enabling debug mode, managing configurations, or invoking privileged features) without proper authorization. While some actions requiring write access to protected files may still fail, the flaw effectively breaks the intended security model of the inter-process communication (IPC) system, allowing local attackers to escalate privileges and compromise system integrity.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:31.058Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#mac-auth-bypass-printerinstallerclientservice"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-authentication-bypass-via-ld-preload-hooking"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Vasion Print (formerly PrinterLogic) PrinterInstallerClientService Authentication Bypass via LD_PRELOAD Hooking",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34190",
"datePublished": "2025-09-19T18:51:12.091Z",
"dateReserved": "2025-04-15T19:15:22.568Z",
"dateUpdated": "2025-11-17T23:56:31.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34205 (GCVE-0-2025-34205)
Vulnerability from cvelistv5
Published
2025-09-19 18:50
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-561 - Dead Code
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in multiple Docker-hosted PHP instances. A script named /var/www/app/resetroot.php (found in several containers) lacks authentication checks and, when executed, performs a SQL update that sets the database administrator username to 'root' and its password hash to the SHA-512 hash of the string 'password'. Separately, commented-out code in /var/www/app/lib/common/oses.php would unserialize session data (unserialize($_SESSION['osdata']))—a pattern that can enable remote code execution if re-enabled or reached with attacker-controlled serialized data. An attacker able to reach the resetroot.php endpoint can trivially reset the MySQL root password and obtain full database control; combined with deserialization issues this can lead to full remote code execution and system compromise. This vulnerability has been identified by the vendor as: V-2023-003 — Dead / Insecure PHP Code.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-20T03:55:45.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PHP web application components (resetroot.php)",
"session handling and legacy helper scripts"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "22.0.843",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"PHP web application components (resetroot.php)",
"session handling and legacy helper scripts"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.1923",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.0.843",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.1923",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and\u0026nbsp;Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in multiple Docker-hosted PHP instances. A script named /var/www/app/resetroot.php (found in several containers) lacks authentication checks and, when executed, performs a SQL update that sets the database administrator username to \u0027root\u0027 and its password hash to the SHA-512 hash of the string \u0027password\u0027. Separately, commented-out code in /var/www/app/lib/common/oses.php would unserialize session data (unserialize($_SESSION[\u0027osdata\u0027]))\u2014a pattern that can enable remote code execution if re-enabled or reached with attacker-controlled serialized data. An attacker able to reach the resetroot.php endpoint can trivially reset the MySQL root password and obtain full database control; combined with deserialization issues this can lead to full remote code execution and system compromise.\u0026nbsp;This vulnerability has been identified by the vendor as: V-2023-003 \u2014 Dead / Insecure PHP Code."
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and\u00a0Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in multiple Docker-hosted PHP instances. A script named /var/www/app/resetroot.php (found in several containers) lacks authentication checks and, when executed, performs a SQL update that sets the database administrator username to \u0027root\u0027 and its password hash to the SHA-512 hash of the string \u0027password\u0027. Separately, commented-out code in /var/www/app/lib/common/oses.php would unserialize session data (unserialize($_SESSION[\u0027osdata\u0027]))\u2014a pattern that can enable remote code execution if re-enabled or reached with attacker-controlled serialized data. An attacker able to reach the resetroot.php endpoint can trivially reset the MySQL root password and obtain full database control; combined with deserialization issues this can lead to full remote code execution and system compromise.\u00a0This vulnerability has been identified by the vendor as: V-2023-003 \u2014 Dead / Insecure PHP Code."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-561",
"description": "CWE-561 Dead Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:33.774Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-dead-code"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-dangerous-php-dead-code-enables-rce"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Dangerous PHP Dead Code Enables RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34205",
"datePublished": "2025-09-19T18:50:38.657Z",
"dateReserved": "2025-04-15T19:15:22.571Z",
"dateUpdated": "2025-11-17T23:56:33.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34202 (GCVE-0-2025-34202)
Vulnerability from cvelistv5
Published
2025-09-19 18:50
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-291 - Reliance on IP Address for Authentication
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 25.2.169 and Application prior to 25.2.1518 (VA and SaaS deployments) expose Docker internal networks in a way that allows an attacker on the same external L2 segment — or an attacker able to add routes using the appliance as a gateway — to reach container IPs directly. This grants access to internal services (HTTP APIs, Redis, MySQL, etc.) that are intended to be isolated inside the container network. Many of those services are accessible without authentication or are vulnerable to known exploitation chains. As a result, compromise of a single reachable endpoint or basic network access can enable lateral movement, remote code execution, data exfiltration, and full system compromise. This vulnerability has been identified by the vendor as: V-2025-003 — Insecure Access to Docker Instance from WAN.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34202",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-20T03:55:46.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Docker networking (docker_gwbridge) and container network isolation"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.2.169",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Docker networking (docker_gwbridge) and container network isolation"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.278625.2.1518",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.2.169",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.278625.2.1518",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 25.2.169 and Application prior to 25.2.1518 (VA and SaaS deployments) expose Docker internal networks in a way that allows an attacker on the same external L2 segment \u2014 or an attacker able to add routes using the appliance as a gateway \u2014 to reach container IPs directly. This grants access to internal services (HTTP APIs, Redis, MySQL, etc.) that are intended to be isolated inside the container network. Many of those services are accessible without authentication or are vulnerable to known exploitation chains. As a result, compromise of a single reachable endpoint or basic network access can enable lateral movement, remote code execution, data exfiltration, and full system compromise.\u0026nbsp;This vulnerability has been identified by the vendor as: V-2025-003 \u2014 Insecure Access to Docker Instance from WAN.\u003c/p\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 25.2.169 and Application prior to 25.2.1518 (VA and SaaS deployments) expose Docker internal networks in a way that allows an attacker on the same external L2 segment \u2014 or an attacker able to add routes using the appliance as a gateway \u2014 to reach container IPs directly. This grants access to internal services (HTTP APIs, Redis, MySQL, etc.) that are intended to be isolated inside the container network. Many of those services are accessible without authentication or are vulnerable to known exploitation chains. As a result, compromise of a single reachable endpoint or basic network access can enable lateral movement, remote code execution, data exfiltration, and full system compromise.\u00a0This vulnerability has been identified by the vendor as: V-2025-003 \u2014 Insecure Access to Docker Instance from WAN."
}
],
"impacts": [
{
"capecId": "CAPEC-121",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-121 Exploit Non-Production Interfaces"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-291",
"description": "CWE-291 Reliance on IP Address for Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:33.277Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-access-docker-instances-from-wan"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-access-to-docker-instances-wan"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Insecure Access to Docker Instances WAN",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34202",
"datePublished": "2025-09-19T18:50:09.021Z",
"dateReserved": "2025-04-15T19:15:22.570Z",
"dateUpdated": "2025-11-17T23:56:33.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34189 (GCVE-0-2025-34189)
Vulnerability from cvelistv5
Published
2025-09-19 18:49
Modified
2025-11-17 23:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 1.0.735 and Application versions prior to 20.0.1330 (macOS/Linux client deployments) contain a vulnerability in the local inter-process communication (IPC) mechanism. The software stores IPC request and response files inside /opt/PrinterInstallerClient/tmp with world-readable and world-writable permissions. Any local user can craft malicious request files that are processed by privileged daemons, leading to unauthorized actions being executed in other user sessions. This breaks user session isolation, potentially allowing local attackers to hijack sessions, perform unintended actions in the context of other users, and impact system integrity and availability. This vulnerability has been identified by the vendor as: V-2022-004 — Client Inter-process Security.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Version: * ≤ |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34189",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T20:10:49.574477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T20:11:00.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PrinterInstallerClient local IPC service"
],
"platforms": [
"MacOS",
"Linux"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "1.0.735",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"PrinterInstallerClient local IPC service"
],
"platforms": [
"MacOS",
"Linux"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "20.0.1330",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.0.735",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.0.1330",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 1.0.735 and Application versions prior to 20.0.1330 (macOS/Linux client deployments) contain a vulnerability in the local inter-process communication (IPC) mechanism. The software stores IPC request and response files inside /opt/PrinterInstallerClient/tmp with world-readable and world-writable permissions. Any local user can craft malicious request files that are processed by privileged daemons, leading to unauthorized actions being executed in other user sessions. This breaks user session isolation, potentially allowing local attackers to hijack sessions, perform unintended actions in the context of other users, and impact system integrity and availability.\u0026nbsp;\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThis vulnerability has been identified by the vendor as:\u0026nbsp;\u003c/span\u003eV-2022-004 \u2014 Client Inter-process Security."
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 1.0.735 and Application versions prior to 20.0.1330 (macOS/Linux client deployments) contain a vulnerability in the local inter-process communication (IPC) mechanism. The software stores IPC request and response files inside /opt/PrinterInstallerClient/tmp with world-readable and world-writable permissions. Any local user can craft malicious request files that are processed by privileged daemons, leading to unauthorized actions being executed in other user sessions. This breaks user session isolation, potentially allowing local attackers to hijack sessions, perform unintended actions in the context of other users, and impact system integrity and availability.\u00a0This vulnerability has been identified by the vendor as:\u00a0V-2022-004 \u2014 Client Inter-process Security."
}
],
"impacts": [
{
"capecId": "CAPEC-639",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-639 Probe System Files"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:30.897Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#mac-lack-auth-communication"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-interprocess-communication"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Vasion Print (formerly PrinterLogic) Insecure Inter-Process Communication Allows Local Session Hijacking",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34189",
"datePublished": "2025-09-19T18:49:29.691Z",
"dateReserved": "2025-04-15T19:15:22.568Z",
"dateUpdated": "2025-11-17T23:56:30.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}