CVE-2025-34215

Summary

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (only VA deployments) expose an unauthenticated firmware-upload flow: a public page returns a signed token usable at va-api/v1/update, and every Docker image contains the appliance’s private GPG key and hard-coded passphrase. An attacker who extracts the key and obtains a token can decrypt, modify, re-sign, upload, and trigger malicious firmware, gaining remote code execution. This vulnerability has been identified by the vendor as: V-2024-020 — Remote Code Execution.

Affected Software

VendorProductVersion RangeStatus
VasionPrint Virtual Appliance Host0 < 22.0.1026affected
VasionPrint Application0 < 20.0.2702affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function
  • CWE-321: CWE-321 Use of Hard-coded Cryptographic Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References