CRITICAL🇵🇱 Wersja polska

CVE-2025-34216

CVSS 10.0v4.0pub. 2025-09-29upd. 2025-10-09

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (VA deployments only) expose a set of unauthenticated REST API endpoints that return configuration files and clear‑text passwords. The same endpoints also disclose the Laravel APP_KEY used for cryptographic signing. Because the APP_KEY is required to generate valid signed requests, an attacker who obtains it can craft malicious payloads that are accepted by the application and achieve remote code execution on the appliance. This vulnerability has been identified by the vendor as: V-2024-018 — RCE & Leaks via API.

🤖 AI Analysis
How it works

Unauthenticated REST API endpoints expose configuration files containing passwords in clear-text (CWE-312) without requiring any authentication (CWE-306). Among the disclosed data is the Laravel APP_KEY, which is used for cryptographic signing of requests in the application. An attacker who obtains this key can create malicious, properly signed payloads that the application will recognize as legitimate and execute, leading to remote code execution on the Virtual Appliance device.

Impact

An attacker without any authentication can gain full control over the Virtual Appliance device through RCE, as well as obtain all passwords and configuration data stored in the system. Compromise of the print management system can lead to takeover of control over the printing infrastructure of the entire organization and lateral movement in the internal network.

Mitigation & patch

The Virtual Appliance Host must be immediately updated to version 22.0.1026 or later and the Virtual Appliance Application to version 20.0.2702 or later. Until the update is applied, consider restricting network access to the device's REST API endpoints only to trusted hosts using firewall rules. Details are available in the vendor's security bulletins at help.printerlogic.com.

Who is affected

Vasion Print (formerly PrinterLogic) Virtual Appliance Host in versions prior to 22.0.1026 and Virtual Appliance Application in versions prior to 20.0.2702 — only VA (Virtual Appliance) deployments.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Vasion Virtual Appliance Application

    APP
    Vasion
    < 20.0.2702
  • Vasion Virtual Appliance Host

    APP
    Vasion
    < 22.0.1026
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-34210CRITICAL9.4PL ✓ten sam produkt

Vasion Print Virtual Appliance — hasła w plikach plaintext dostępnych dla wszystkich

CVE-2025-34217CRITICAL10.0PL ✓ten sam produkt

Vasion Print: hardcoded SSH key umożliwiający root access do appliance

CVE-2025-34211CRITICAL9.3PL ✓ten sam produkt

Vasion Print: hardcoded klucz prywatny SSL we wszystkich instancjach

CVE-2025-34209CRITICAL9.4PL ✓ten sam produkt

Hardcoded klucz prywatny GPG w Vasion Print Virtual Appliance

CVE-2025-34196CRITICAL9.3PL ✓ten sam produkt

Vasion Print: hardcoded klucz prywatny CA i hasło w plikach konfiguracyjnych